Snort mailing list archives
Re: Snort-users Digest, Vol 108, Issue 2
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Sun, 3 May 2015 23:13:49 +0000
Hello, What is the command that you are using to start snort? Please see the section in the daq readme for AFPacket also. Thanks! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Abdallah Jabbour [mailto:abdjbr () gmail com] Sent: Sunday, May 03, 2015 6:56 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort-users Digest, Vol 108, Issue 2 all the lab is on a KVM host with regular bridge ( bridge-utils on CentOS ) . it seems that whenever the snort service start it will bridge the interfaces together causing the network connections to drop even if i specify a non-ip interfaces : INTERFACE=eth0.1:eth1.1 where eth0.1 and eth1.1 are another two virtual interfaces on the snort guest with no ip address . i don't have port mirroring in place ( that why i tried inline mode ) . On Mon, May 4, 2015 at 12:34 AM, Abdallah Jabbour <abdjbr () gmail com<mailto:abdjbr () gmail com>> wrote: yes they do ! On Sun, May 3, 2015 at 2:00 PM, <snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net>> wrote: Send Snort-users mailing list submissions to snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net<mailto:snort-users-request () lists sourceforge net> You can reach the person managing the list at snort-users-owner () lists sourceforge net<mailto:snort-users-owner () lists sourceforge net> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." When responding, please don't respond with the entire Digest. Please trim your response. Today's Topics: 1. Re: snort inline mode in CentOS 6.6 (James Lay) ---------------------------------------------------------------------- Message: 1 Date: Sat, 02 May 2015 07:25:22 -0600 From: James Lay <jlay () slave-tothe-box net<mailto:jlay () slave-tothe-box net>> Subject: Re: [Snort-users] snort inline mode in CentOS 6.6 To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Message-ID: <1430573122.4447.1.camel@JamesiMac<mailto:1430573122.4447.1.camel@JamesiMac>> Content-Type: text/plain; charset="utf-8" On Sat, 2015-05-02 at 12:46 +0200, Abdallah Jabbour wrote:
Hello , i have installed snort on CentOS6.6 in a KVM Guest machine , it a router/ firewall using iptables , i followed the installation and configuration steps and tested the configuration file validity ( using -T command line arg ) i enabled inline mode : in configuration file : i added and uncommented the following lines : config policy_mode:inline config daq: afpacket config daq_dir: /usr/lib64/daq/ config daq_mode: inline config daq_var: buffer_size_mb=128 and also in /etc/sysconfig/snort INTERFACE=eth0:eth1 and start the snort service the network connection ( locally and to the internet ) is dropped i cannot ping any host on the network . i added some rules to /etc/snort/rules/local.rules to see if alerting is working , i can see alerts being written to /var/log/snort/alert after i reboot the machine ( since there is no network connectivity ) . i know that inline mode will put the network interfaces eth0 and eth1 in promiscuous mode and will bridge the network connection to get the network traffic . is there anything i am missing my setup ? ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
To eth0 and eth1 have IP addresses assigned? James -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y ------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest, Vol 108, Issue 2 *******************************************
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort-users Digest, Vol 108, Issue 2 Abdallah Jabbour (May 03)
- Re: Snort-users Digest, Vol 108, Issue 2 Abdallah Jabbour (May 03)
- Re: Snort-users Digest, Vol 108, Issue 2 Al Lewis (allewi) (May 03)
- Re: Snort-users Digest, Vol 108, Issue 2 Abdallah Jabbour (May 03)