Snort mailing list archives

Re: Snort inline problem

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 19 Oct 2016 11:41:17 -0600

On 2016-10-19 11:26, mostafa ammar wrote:

Dear all,

i installed snort inline on ubuntu vm.
i configured /etc/network/interfaces with the following configuration

auto eth2
iface eth2 inet manual
    up ifconfig eth2 0.0.0.0 up
    up ip link set eth2 promisc on
    post-up ethtool -K eth2 gro off
    post-up ethtool -K eth2 lro off
    down ip link set eth2 promisc off
    down ifconfig eth2 down

# Second Bridged Interface
auto eth3
iface eth3 inet manual
    up ifconfig eth3 0.0.0.0 up
    up ip link set eth3 promisc on
    post-up ethtool -K eth3 gro off
    post-up ethtool -K eth3 lro off
    down ip link set eth3 promisc off
    down ifconfig eth3 down

currently ping is passing successfully between 2 interfaces but any
other protocol is not passing i tried ssh,rdp,http
the session is reset
any suggestion how to solve this problem?




You'll want to rethink how you do it...snort creates it's own bridge 
with, for example, afpacket:

"If you want to run afpacket in inline mode, you must set device to one 
or more interface pairs, where each member of a pair is separated by a 
single colon and each pair is separated by a double colon like this:

     eth0:eth1
or this:

     eth0:eth1::eth2:eth3"

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node7.html

I did the same thing you did when I started out.

James

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort inline problem mostafa ammar (Oct 19)
- Re: Snort inline problem James Lay (Oct 19)
- Re: Snort inline problem mostafa ammar (Oct 28)
  - Re: Snort inline problem James Lay (Oct 29)
- <Possible follow-ups>
- snort inline problem mostafa ammar (Oct 20)
  - Re: snort inline problem mostafa ammar (Oct 20)
  - Re: snort inline problem James Lay (Oct 20)
- Re: Snort inline problem mostafa ammar (Oct 20)