[Snort-devel] snort inline mode and bridge

Vincent Li vincent.mc.li at ...2499...
Thu Oct 13 18:59:05 EDT 2016


I am running snort in IPS afpacket inline mode (-i eth0:eth1) on a
lower end PC between my ISP modem and my home router in  my home
network. I use pulledpork to update signatures daily. I noticed that
if snort needs to be restarted ( I have not test reload on ubuntu
16.04 with systemd) to take the new signatures, during the restart
period, my home Internet is down for a few minutes because it took too
long for snort to load these rules on the lower end PC, my
understanding is that snort maintain the bridge in inline mode, if
snort is still processing rules during restart, the bridge is down and
no Internet access.

so my question is, is it possible to maintain the bridge up even
during snort restart, or set the bridge up early in snort startup
before loading rules....

or can I  create the bridge by Linux and let snort sniffing on the
bridge interface like -i br0 in IPS inline mode?

any input would be helpful.


More information about the Snort-devel mailing list