Re: afpacket and inline mode

[James Lay <jlay () slave-tothe-box net>]

On Sat, 2017-01-28 at 11:47 -0600, Michael David wrote:
> I am trying to configure snort to run in inline mode between a cable
> modem and router.  My config tests fine and will run.  When snort is
> running all traffic is blocked in and outbound, but the log grows. 
> When I terminate snort I can view and log all in and outbound traffic
> and Internet service returns to the LAN.
>
> I don't understand why this is happening.  Shouldn't inline mode let
> all traffic pass and let the rules allow, block and drop?
>
> Here are some of my configurations and setup for the ports.
>
> snort -A console -c /etc/snort/snort.conf -Q -i eth0:eth1 --daq
> afpacket --daq-mode inline
>
> ifconfig eth0 0.0.0.0
> ip link set eth0 multicast off
> ip link set eth0 promisc on
> ethtool -s eth0 speed 100 duplex full
> for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off;
> done
>
> ifconfig eth1 0.0.0.0
> ip link set eth1 multicast off
> ip link set eth1 promisc on
> ethtool -s eth1 speed 100 duplex full
> for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth1 $i off;
> done
> -------------------------------------------------------------------
> -----------
Is this a third physical device like say... *cable modem* <-> *snort
device* <-> *router* or do you plan on running inline on the router
itself?
James

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!