Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Newbie question -- Can Snort be installed in a routed mode instead of bridged mode?

From: J Green <corpengineer () gmail com>
Date: Tue, 16 Aug 2016 16:21:51 -0700
Using this syntax, it seems to work (in terms of Snort detecting traffic).


/usr/local/bin/snort –daq afpacket –I eth0:eth1 –u snort –g snort –c
/etc/snort/snort.conf

and

iptables –I FORWARD –j QUEUE

I can create rules, and generate alerts:  a.b.c.d is connected to eth0, and
w.x.y.z is connected to eth1.

However, how do I actually pass/route traffic (that doesn't trigger alerts)
through Snort?  Nothing reaches w.x.y.z.

Do I need to create rules to let a.b.c.d on eth0 reach w.x.y.z on eth1, for
various services, w/in iptables?


Thank you.



On Tue, Jul 26, 2016 at 1:49 PM, J Green <corpengineer () gmail com> wrote:


Will do.  Thank you.

On Tue, Jul 26, 2016 at 12:34 PM, Victor Roemer <viroemer () cisco com>
wrote:


Take a look at the README included with the daq-2.0.6 source code. Look
for “Notes on iptables”.

On 7/26/16 3:19 PM, J Green wrote:

Thanks, I'll look at that.  Would be great if I could see some
documentation w/ a working example.  Haven't been able to find anything
like that.


On Tue, Jul 26, 2016 at 11:35 AM, Victor Roemer <viroemer () cisco com>
wrote:


Note that afpacket will create the bridge between interface pairs. If
you already have configured bridge interfaces (ala iptables) then you’ll
want nfq daq.

—

Snort is unlike other utilities which use sockets and is configured to
read from network device(s) directly.

However, you can “bind” different configurations on different VLANs and
networks (see doc/README.multipleconfigs for more details).

On 7/26/16 1:31 PM, J Green wrote:

That looks interesting.  I guess though you would have to give a pair of
interfaces to each set (switch & firewall) of Etherchannel ports.  That
would be a lot of NIC's though.  Maybe we don't need as many Etherchannel
links to begin with, we have like 8 - 10.  Need to think this through, but
it might work.

Thank you.

On Tue, Jul 26, 2016 at 10:16 AM, Y M <snort () outlook com> wrote:


In addition to bridging with afpacket, you can run snort against
multiple interfaces in pairs format, also referred to inline pairs when
running in IPS mode. It would look something like this:
snort -c snort.conf -i ethX:ethY::ethA:ethB. Check out the below blog
post:

http://blog.talosintel.com/2010/08/snort-29-essentials-daq.html

YM




On Tue, Jul 26, 2016 at 8:05 PM +0300, "Al Lewis (allewi)" <
allewi () cisco com> wrote:

Have you tried using afpacket in bridged mode?

See the daq readme file:


AFPACKET Module

===============


afpacket functions similar to the pcap DAQ but with better performance:


    ./snort --daq afpacket -i <device>

            [--daq-var buffer_size_mb=<#MB>]

            [--daq-var debug]


If you want to run afpacket in inline mode, you must craft the device
string as

one or more interface pairs, where each member of a pair is separated
by a

single colon and each pair is separated by a double colon like this:



Thanks.


*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: J Green <corpengineer () gmail com>
Date: Tuesday, July 26, 2016 at 12:49 PM
To: 'Y M' <snort () outlook com>
Cc: 'snort-users' <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Newbie question -- Can Snort be installed
in a routed mode instead of bridged mode?

Will check out daq nfq.  Appreciate the input.

Alternatively, does anyone know a good way to install in bridge mode,
given a more complicated network setup w/ Etherchannel (where there isn't
just one connection between switch & firewall)?


Thank you.

On Tue, Jul 26, 2016 at 3:48 AM, Y M <snort () outlook com> wrote:


I think you can achieve a routed-like behavior using daq nfq. For
example, check the following document on Snort's documentation website:

https://s3.amazonaws.com/snort-org-site/production/
document_files/files/000/000/023/original/ids2ips.txt?AWSAccessKeyId=
AKIAIXACIED2SPMSC7GA&Expires=1469533533&Signature=VNqj9aWGbGin6%2Fb%
2FriQ3rf6zn4s%3D

YM




On Tue, Jul 26, 2016 at 2:29 AM +0300, "J Green" <
corpengineer () gmail com> wrote:

Hello all:

Have been reading up on how to install Snort, and I have come across
two modes:  Bridged and SPAN.  Bridged mode would be preferable, but our
network is configured with layer 2 VLAN'ing, and an Etherchannel connecting
switches to the firewall.  So I do not see how I could physically connect
Snort in Bridged mode, since there is not just one connection from switch
to the firewall (where I could physically connect a Snort box inbetween).
Was wondering if Snort supports a Routed mode, where the incoming interface
is configured on one network subnet, and the outgoing interface is
configured on a different network subnet?  If so, could you please direct
me to supporting documentation re how to accomplish this?  My goal is to
have Snort inspect traffic from one internal network destined to another
internal network.

Thank you.







------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev



_______________________________________________
Snort-users mailing listSnort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------
------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and
traffic
patterns at an interface-level. Reveals which users, apps, and protocols
are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: