Snort mailing list archives
Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall)
From: Jack Pepper <pepperjack () afferentsecurity com>
Date: Wed, 29 Mar 2017 15:31:19 -0500
I would be inclined to do this in two parts: iptables masquerade to consolidate four internal physical interfaces into one virtual inferface, then do snorting on the one interface. It could also be done other way round with daq afpacket bridging each physical with one virtual interface, then applying masquerade to the virtual interfaces, but that seems more difficult to troubleshoot if something goes awry. On Wed, Mar 29, 2017 at 3:07 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2017-03-29 13:27, wkitty42 () windstream net wrote:On 03/29/2017 02:15 PM, Stanford Prescott wrote:I need to know if the multiple interfaces can all be bridged to the WAN interface such that: WAN eth0 <---inline snort 1 -->LAN eth1 WAN eth0 <---inline snort 2 -->LAN eth2 etc. Can it be done?i don't think it can be done like that... likely it should be more like this... WAN0(eth0) -> snort0 -> WAN0(eth1) -> current path for WAN0 to LANs LAN0(eth2) -> snort1 -> LAN0(eth3) -> current path for LAN0 to LANs & WAN0 LAN1(eth4) -> snort2 -> LAN1(eth5) -> current path for LAN1 to LANs & WAN0 LAN2(eth6) -> snort3 -> LAN2(eth7) -> current path for LAN2 to LANs & WAN0 each snort instance has to have its own two interfaces to bridge... remember, each bridge is a dedicated tunnel from one entry point to the exit point with snort processing the data traveling through the tunnel... something else to think about: each snort should also have its own configs... some parts of the configs can be common and shared between all snort instances while others must be discrete and separate... one should also consider the need for different rules to be in effect for the different snort instances... eg: LAN0 may allow TOR traffic but TOR is denied on LAN1 and LAN2... PS: i see you ;)On Tue, Mar 28, 2017 at 1:20 PM, Stanford Prescott <stan.prescott () gmail com> wrote:I am trying to learn some of the ins and outs of snort. Is there a tutorial somewhere that outlines how to setup snort in inline mode using daq on a Linux netfilter firewall. It is a typical firewall setup with interfaces of, for example: eth0 -> WAN interface with public IP address eth1 -> 1st protected LAN interface with unique subnet eth2 -> 2nd protected LAN interface with unique subnet etc.... I would need multiple instances of snort with instance1 eth0 <---> eth1 (bidirectional) instance2 eth0 <---> eth2 " etc. Thank you!And per the daq README: AFPACKET Module =============== afpacket functions similar to the pcap DAQ but with better performance: ./snort --daq afpacket -i <device> [--daq-var buffer_size_mb=<#MB>] [--daq-var debug] If you want to run afpacket in inline mode, you must craft the device string as one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon like this: eth0:eth1 or this: eth0:eth1::eth2:eth3 This applies to PF_RING as well. James ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 28)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) wkitty42 (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) James Lay (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Jack Pepper (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) wkitty42 (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Ward Sladek (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) James Lay (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) James Lay (Mar 30)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) wkitty42 (Mar 29)
- Re: How to run multiple instances of snort inline and daq and multiple interfaces (firewall) Stanford Prescott (Mar 29)