Re: Snort with AFPacket

[waldo kitty <wkitty42 () windstream net>]

On 11/3/2014 8:17 PM, James Lay wrote:
> Indeed that is afpacket is supposed to function.  Ideally you're on a machine
> with three NIC's..one for management, and the other two acting as a bridge.
> Look at NFQ if you're going to be running this on a firewall device.

actually, the machine in question can have 2 to 4 NICs... none are for 
management... one is for the connection to the WAN and the other three are for 
up to 3 internal LANs... i believe that the OP is bridging the WAN NIC to one of 
the internal LAN NICs and that they have only two NICs in their machine...

if i'm reading this correctly, they've effectively bypassed everything in the 
middle between the two NICs that is supposed to be there protecting their 
internal networks from the WAN traffic... all of that protection is done via 
iptables and specific handling of certain traffic... snort normally looks at 
their WAN interface and sees all the traffic in front of iptables before 
iptables has any chance to handle it...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!