Snort mailing list archives

Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode?

From: Victor Roemer <viroemer () cisco com>
Date: Tue, 26 Jul 2016 15:34:45 -0400

Take a look at the |README| included with the daq-2.0.6 source code.Look for “Notes on iptables”.


On 7/26/16 3:19 PM, J Green wrote:

Thanks, I'll look at that. Would be great if I could see somedocumentation w/ a working example. Haven't been able to findanything like that.

On Tue, Jul 26, 2016 at 11:35 AM, Victor Roemer <viroemer () cisco com<mailto:viroemer () cisco com>> wrote:


    Note that afpacket will create the bridge between interface pairs.
    If you already have configured bridge interfaces (ala iptables)
    then you’ll want nfq daq.

    —

    Snort is unlike other utilities which use sockets and is
    configured to read from network device(s) directly.

    However, you can “bind” different configurations on different
    VLANs and networks (see |doc/README.multipleconfigs| for more
    details).


    On 7/26/16 1:31 PM, J Green wrote:

    That looks interesting.  I guess though you would have to give a
    pair of interfaces to each set (switch & firewall) of
    Etherchannel ports.  That would be a lot of NIC's though.  Maybe
    we don't need as many Etherchannel links to begin with, we have
    like 8 - 10.  Need to think this through, but it might work.
    Thank you.

    On Tue, Jul 26, 2016 at 10:16 AM, Y M <snort () outlook com
    <mailto:snort () outlook com>> wrote:

        In addition to bridging with afpacket, you can run snort
        against multiple interfaces in pairs format, also referred to
        inline pairs when running in IPS mode. It would look
        something like this:
        snort -c snort.conf -i ethX:ethY::ethA:ethB. Check out the
        below blog post:

        http://blog.talosintel.com/2010/08/snort-29-essentials-daq.html

        YM




        On Tue, Jul 26, 2016 at 8:05 PM +0300, "Al Lewis (allewi)"
        <allewi () cisco com <mailto:allewi () cisco com>> wrote:

        Have you tried using afpacket in bridged mode?

        See the daq readme file:


        AFPACKET Module

        ===============


        afpacketfunctions similar to the pcap DAQ but with better
        performance:


          ./snort --daq afpacket-i <device>

                  [--daq-var buffer_size_mb=<#MB>]

                  [--daq-var debug]


        If you want to run afpacketin inline mode, you must craft the
        device string as

        one or more interface pairs, where each member of a pair is
        separated by a

        single colon and each pair is separated by a double colon
        like this:



        Thanks.



        *Albert Lewis*

        ENGINEER.SOFTWARE ENGINEERING

        SOURCE*fire*, Inc. now part of *Cisco*

        Email: allewi () cisco com <mailto:allewi () cisco com>


        From: J Green <corpengineer () gmail com
        <mailto:corpengineer () gmail com>>
        Date: Tuesday, July 26, 2016 at 12:49 PM
        To: 'Y M' <snort () outlook com <mailto:snort () outlook com>>
        Cc: 'snort-users' <snort-users () lists sourceforge net
        <mailto:snort-users () lists sourceforge net>>
        Subject: Re: [Snort-users] Newbie question -- Can Snort be
        installed in a routed mode instead of bridged mode?

        Will check out daq nfq.  Appreciate the input.
        Alternatively, does anyone know a good way to install in
        bridge mode, given a more complicated network setup w/
        Etherchannel (where there isn't just one connection between
        switch & firewall)?
        Thank you.

        On Tue, Jul 26, 2016 at 3:48 AM, Y M <snort () outlook com
        <mailto:snort () outlook com>> wrote:

            I think you can achieve a routed-like behavior using daq
            nfq. For example, check the following document on Snort's
            documentation website:

            
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/023/original/ids2ips.txt?AWSAccessKeyId=AKIAIXACIED2SPMSC7GA&Expires=1469533533&Signature=VNqj9aWGbGin6%2Fb%2FriQ3rf6zn4s%3D

            YM




            On Tue, Jul 26, 2016 at 2:29 AM +0300, "J Green"
            <corpengineer () gmail com <mailto:corpengineer () gmail com>>
            wrote:

            Hello all:
            Have been reading up on how to install Snort, and I have
            come across two modes: Bridged and SPAN.  Bridged mode
            would be preferable, but our network is configured with
            layer 2 VLAN'ing, and an Etherchannel connecting switches
            to the firewall. So I do not see how I could physically
            connect Snort in Bridged mode, since there is not just
            one connection from switch to the firewall (where I could
            physically connect a Snort box inbetween). Was wondering
            if Snort supports a Routed mode, where the incoming
            interface is configured on one network subnet, and the
            outgoing interface is configured on a different network
            subnet?  If so, could you please direct me to supporting
            documentation re how to accomplish this?  My goal is to
            have Snort inspect traffic from one internal network
            destined to another internal network.
            Thank you.





    ------------------------------------------------------------------------------
    What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
    patterns at an interface-level. Reveals which users, apps, and protocols are
    consuming the most bandwidth. Provides multi-vendor support for NetFlow,
    J-Flow, sFlow and other flows. Make informed decisions using capacity planning
    reports.http://sdm.link/zohodev2dev


    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visithttp://blog.snort.org  to stay current on all the latest Snort news!



    ------------------------------------------------------------------------------
    What NetFlow Analyzer can do for you? Monitors network bandwidth
    and traffic
    patterns at an interface-level. Reveals which users, apps, and
    protocols are
    consuming the most bandwidth. Provides multi-vendor support for
    NetFlow,
    J-Flow, sFlow and other flows. Make informed decisions using
    capacity planning
    reports.http://sdm.link/zohodev2dev
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visit http://blog.snort.org to stay current on all the
    latest Snort news!

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? J Green (Jul 25)
- Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? Y M (Jul 26)
  - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? J Green (Jul 26)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? Al Lewis (allewi) (Jul 26)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? Y M (Jul 26)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? J Green (Jul 26)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? Victor Roemer (Jul 26)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? J Green (Jul 26)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? Victor Roemer (Jul 26)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? J Green (Jul 26)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? J Green (Aug 16)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? Y M (Aug 16)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? Al Lewis (allewi) (Aug 16)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? J Green (Aug 18)
    - Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode? J Green (Aug 19)