Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort inline mode does not capture traffic destined to other machine on the internal network

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 8 May 2015 17:07:06 +0000
I think your issue is caused by attempting to use the main interfaces to talk through the subinterfaces.

Are you able pass traffic with just “eth0:eth1”?

Have you tried not using the main interfaces and creating two subinterfaces on each side?



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Abdallah Jabbour [mailto:abdjbr () gmail com]
Sent: Friday, May 08, 2015 12:16 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Hello ,
i have setup snort in inline mode and tested it by adding  a rule in /etc/snort/rules/local.rules :
alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)

i am running snort as a service and i added two pairs of network interfaces to to /etc/sysconfig/snort
INTERFACE="eth0:eth0.1::eth1:eth1.1"
where eth0.1 and eth1.1 does not have IP address and have enabled promiscuous mode for all network interfaces
but in /var/log/snort/alert i  get alert from previously defined rule only when i ping an external host or when i ping 
one of the interfaces of the snort machine
i can confirm than snort is running in inline mode and acquiring network traffic from all network interfaces from 
/var/log/messages

 afpacket DAQ configured to inline.
 Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
 Initializing daemon mode
 Daemon initialized, signaled parent pid: 1726
 Reload thread starting...
 Reload thread started, thread 0x7f2f0055c700 (1746)
 Checking PID path...
PID path stat checked out ok, PID path set to /var/run/
 Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"

        --== Initialization Complete ==--
 Commencing packet processing (pid=1745)
 Decoding Ethernet
 device eth1.1 entered promiscuous mode
 device eth1 entered promiscuous mode
 device eth0.1 entered promiscuous mode
 device eth0 entered promiscuous mode
i cannot get any traffic local hosts pinging each other ( on the internal network ) .
please assist

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: