Snort Bridge in Snort-IPS-Tutorial.pdf

[B <dustythepath () gmail com>]

Hello,

I could use some help with the Snort-IPS-Tutorial. I cant seem to get the bridge working. Every device (vswitch,port 
group, virtual nic, physical Nic) has been put into promisc mode. The DAQ has been set as AFPACKET  INLINE with the 
CONFIG POLICY_MODE also set to INLINE. I have started it also with -Q providing interface names colon separated along 
with  -c snort.conf.  I have followed the instructions and doubled checked everything including changing the config 
back and forth to IDS and IPS. 

The problem won't show up in logs either. It seems snort starts and takes the bridge but the bridge never actually 
works. Sometimes it will flip to sensing traffic on the busy side of the LAN (just a test machine on the other). My 
HOME_NET is configured with EXTERNAL_NET as any. The set is on one lan with a piece of it (test machine) on the same 
lan on the other side of the bridge. I have read others have trouble with bridging with VMware ESXI (I’m using ver. 
6.5). I can just go ahead and try a linux bridge device and build the IPS with nfq but would appreciate any insight. 

I would also like to to if I have compiled too much into Snort if that could cause an (this?) issue.




Thanks

Using Snort ver. 2.9.8.3(r1), which is the latest for Gentoo ; w/kernel 4.8.17
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!