Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort inline

From: Michael Altizer <xiche () verizon net>
Date: Mon, 12 Nov 2012 01:50:43 -0500
You enabled IPv4 Forwarding, so you're a router with everything that entails. 

On 11/12/2012 01:37 AM, amin Salehi wrote:

hi.i enable promisc mode on 2 interface:

my virtual topology is:

all host is linux backtrack 64 bit:
when i ping 10.10.8.2 from 10.10.7.2 2 packet are sent.one with TTL 64 and one with TTL 63.one with TTL 64 from mac of 10.10.7.2 to mac of 10.10.7.1 and one with TTL 63 from mac of interface 10.10.8.1 to mac of 10.10.8.2 
what is the problem?

------------------------------------------------------------------------
*From:* Tony Robinson <deusexmachina667 () gmail com>
*To:* amin Salehi <seyedamin_salehi () yahoo com>
*Cc:* "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> 
*Sent:* Sunday, November 11, 2012 1:11 AM
*Subject:* Re: [Snort-users] snort inline

Mr. Salehi,
I'm not certain this is your problem, but I ran into a similar problem while testing a snort inline installation on my ESXi testbed. I was trying to do an inline test with snort between two vswitches and ran into problems consistent with what you are seeing. I had to allow promiscuous mode on the vswitches the inline interfaces were connected to, or it wouldn't work. 

I would recommend the following:
1. If you are on an ESX/ESXi server, ensure that the vswitch security settings allow promiscuous mode -- for BOTH switches your sensor is connected to. 2. Verify that both interfaces have promiscuous mode enabled (e.g. does ifconfig -a report PROMISC for both eth1 and eth0?)
On Sat, Nov 10, 2012 at 7:21 AM, amin Salehi <seyedamin_salehi () yahoo com <mailto:seyedamin_salehi () yahoo com>> wrote: 

    hi.i enable forwarding on a snort sensor host and run following
    command:
    "snort -q -c /etc/snort/snort.conf -Q --daq afpacket -i eth0:eth1
    -A console"
    i write a rule in local.rules file: "drop icmp 10.10.9.2 any ->
    10.10.8.2 any (msg:"Ping dropped";sid: 1000008;).when i run
    "ping 10.10.8.2" on the 10.10.9.2 host the resault is: the attach
    file with name 1

    my sensor screen is: the attach file with name 2


    whats the problem?

    ------------------------------------------------------------------------------
    Everyone hates slow websites. So do we.
    Make your web apps faster with AppDynamics
    Download AppDynamics Lite for free today:
    http://p.sf.net/sfu/appdyn_d2d_nov
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visit http://blog.snort.org to stay current on all the
    latest Snort news!




--
when does reality end? when does fantasy begin?




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: