Snort mailing list archives

Re: Bridging issue inline

From: B <dustythepath () gmail com>
Date: Wed, 29 Mar 2017 15:40:13 -0700

Hello and thanks for the followups,

I have added debug support and have seen the following, which I have seen before when starting via /etc/init.d/start.

"WARNING: /etc/snort/snort.conf(166) Adapter is in Passive Mode. Hence switching policy mode tap”

NORMALIZATION is then turned off as a result of the above.

/usr/bin/snort -A console -c /etc/snort/snort.conf --daq-mode inline -Q -i eno3355xxxx:eno5033xxxx

The above command line removes the Warning and allows inline operation, at least according to the output of Snort, but
not in actuality. Also, After “Decoding Ethernet” I get the output below (x4), which has not happened until I put
“—daq-mode inline” IN THE command line.
It is bewildering why the Init.d start seems incomplete, as if snort.conf is not being completely followed.

AFPacket Layout:
Frame Size: 1584
Frames: 169460
Block Size: 32768 (Order 3)
Blocks: 8473
Created a ring of type 5 with total size of 277643264

. My DAQ section is:

config daq:afpacket
config daq_mode:inline
config daq_dir:/usr/lib64/daq
config daq_var: debug
config daq_var:buffer_size_mb=1024
config policy_mode:inline

So after editing /etc/init.d/snort by adding -Q I do get a successful inline startup, which unfortunately passes no
traffic.

I also tried the suggestion by Dave O, creating a bridge. While Snort started up in passive mode and completed
initialization, no traffic would pass once again. This may very well be a fools errand but I can only think this is a
problem because of networking -physical- hardware differences, so some do get it to work. Someone on VMware’s community
section suggested that packets don’t route properly in the virtual network (with bridging).

Is there a way to get even more output from debug mode, or more than debug from DAQ?

Thanks

-- 
NOTE: No off-list assistance is given without prior approval.
      *Please keep mailing list traffic on the list* unless
      private contact is specifically requested and granted.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Alert Processing Survey, (continued)
- - Snort Alert Processing Survey m-one (Mar 14)
    - Re: Snort Alert Processing Survey James Lay (Mar 14)
    - Re: Snort Alert Processing Survey wkitty42 (Mar 15)
    - Re: Snort Alert Processing Survey Jack Pepper (Mar 15)
    - Re: Snort Alert Processing Survey Marcin Dulak (Mar 15)
    - Re: Snort Alert Processing Survey eagleliujin () 163 com (Mar 16)
    - Re: Snort Alert Processing Survey Gregory (Greg) Nowicki (Mar 21)
    - Snort Bridge in Snort-IPS-Tutorial.pdf B (Mar 26)
    - Bridging issue inline B (Mar 28)
    - Re: Bridging issue inline wkitty42 (Mar 28)
    - Message not available
    - Message not available
    - Re: Bridging issue inline B (Mar 29)
    - Re: Snort Alert Processing Survey Jim Hranicky (Mar 27)