Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort dont pass traffic

From: "tantioification ." <tantio86 () gmail com>
Date: Sun, 26 Mar 2017 15:49:39 +0700
Work like a charm :D
thank you Albert

On Thu, Mar 23, 2017 at 4:46 PM, Al Lewis (allewi) <allewi () cisco com> wrote:


Yes.

*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: "tantioification ." <tantio86 () gmail com>
Date: Thursday, March 23, 2017 at 1:14 AM
To: allewi <allewi () cisco com>
Cc: 'snort-users' <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Snort dont pass traffic

Hi Albert,

At now snort i run as daemon with systemD script /usr/local/bin/snort -q
-u snort -g snort -c /etc/snort/snort.conf -i enp3s0.
Should i replace with /usr/local/bin/snort -Q -u snort -g snort -c
/etc/snort/snort.conf -i enp4s0:enp5s0 -N ?

On Thu, Mar 23, 2017 at 9:52 AM, Al Lewis (allewi) <allewi () cisco com>
wrote:


How are you starting snort?


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com







On 3/22/17, 9:56 PM, "tantioification ." <tantio86 () gmail com> wrote:


Hi,

I have configured my snort as IPS with this instruction
http://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/.
But I have a problem with my snort network configuration, my snort can't
pass the traffic properly. I have configured like in that instruction,

but

any traffic can't pass in my network. What is wrong with my network
configuration? This is my network bridge configuration

# The First bridged interface
auto enp4s0
iface enp4s0 inet manual
       up ifconfig $IFACE 0.0.0.0 up
       up ip link set $IFACE promisc on
       post-up ethtool -K $IFACE gro off
       down ip link set $IFACE promisc off
       down ifconfig $IFACE down

# The Second bridged interface
auto enp5s0
iface enp5s0 inet manual
       up ifconfig $IFACE 0.0.0.0 up
       up ip link set $IFACE promisc on
       post-up ethtool -K $IFACE gro off
       down ip link set $IFACE promisc off
       down ifconfig $IFACE down

And this output of ifconfig

enp4s0    Link encap:Ethernet  HWaddr 74:d0:2b:92:6c:3d
         inet6 addr: fe80::76d0:2bff:fe92:6c3d/64 Scope:Link
         UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
         RX packets:1097 errors:0 dropped:14 overruns:0 frame:0
         TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:148906 (148.9 KB)  TX bytes:648 (648.0 B)

enp5s0    Link encap:Ethernet  HWaddr c4:12:f5:34:00:a1
         inet6 addr: fe80::c612:f5ff:fe34:a1/64 Scope:Link
         UP BROADCAST PROMISC MULTICAST  MTU:1500  Metric:1
         RX packets:2260 errors:0 dropped:209 overruns:0 frame:0
         TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:190329 (190.3 KB)  TX bytes:1004 (1.0 KB)

LRO has fixed configuration in my interfaces.
-----------------------------------------------------------

-------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: