Re: IPS Inline Mode

[Y M <snort () outlook com>]

From your description and the diagram, I would assume you do not have a mirroring port configured on your switch (first 
one from the left), since Snort is not even seeing the traffic associated with the machine connected to the same switch 
as Snort box. Also, you wouldn't be able to see traffic from other machines connected to the remaining switches (second 
and third from the left) since those machines are running on different switches.

Date: Mon, 23 Jun 2014 09:55:41 +0300
Subject: Re: [Snort-users] IPS Inline Mode
From: erdem () boryazilim com
To: snort () outlook com; snort-users () lists sourceforge net


We have 3-4 switches and all switches has 5 pc as average. Additional 7-8 PC connect with WLAN.

I see traffic but ı cant see TCP traffic. 

On Fri, Jun 20, 2014 at 7:54 PM, Y M <snort () outlook com> wrote:




How are the "other machines" and Snort are connected (same switch)? Is the interface on Snort connected to mirror port 
or something similar on the switch? Try running tcpdump and view the packets to verify if you see traffic from other 
machines. If not, then you need to configure mirroring port on the switch, to which the NIC on Snort box will be 
connected (promiscuous).

If you get the first problem sorted out, use the guide at http://s3.amazonaws.com/snort-org/www/assets/229/ids2ips.txt 
to help you with the inline mode using NFQ.

YM

Date: Fri, 20 Jun 2014 11:51:04 +0300
From: erdem () boryazilim com
To: snort-users () lists sourceforge net

Subject: [Snort-users] IPS Inline Mode

Hi, 
I am new on Snort
I installed with guide and run IDS mode.

I have two problems. 
Firstly, Snort handle only host machine packets. I write some rules example:
alert tcp any any -> any any (content:"www.facebook.com";msg:"Facebook Accessing";sid:1000001;)
This rule works only machine which installed Snort. Other machines accesses are not handled.


Other problem is Inline Mode.
I run with this command 
snort --daq nfq -Q -c /etc/snort/snort.conf  --daq-dir /usr/local/lib/daq --daq-var device=eth0 -i eth0



Snort gives this error
ERROR: Can't initialize DAQ nfq (-7) - The nfq DAQ module does not support interface or readback mode!
If I remove "-i eth0", Snort works but do not handle any packets


Thanks for replies
Good Works

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!