[Snort-devel] snort inline mode and bridge

Y M snort at ...3347...
Thu Oct 13 23:26:12 EDT 2016

Hello Vincent,

I haven't tried this before, but when building Snort, there is this build option:

"--enable-inline-init-failopen  Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly)"

Have you tried this? I would be interested to know if this achieves what you need.


From: Vincent Li <vincent.mc.li at ...2499...>
Sent: Friday, October 14, 2016 1:59:05 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] snort inline mode and bridge


I am running snort in IPS afpacket inline mode (-i eth0:eth1) on a
lower end PC between my ISP modem and my home router in  my home
network. I use pulledpork to update signatures daily. I noticed that
if snort needs to be restarted ( I have not test reload on ubuntu
16.04 with systemd) to take the new signatures, during the restart
period, my home Internet is down for a few minutes because it took too
long for snort to load these rules on the lower end PC, my
understanding is that snort maintain the bridge in inline mode, if
snort is still processing rules during restart, the bridge is down and
no Internet access.

so my question is, is it possible to maintain the bridge up even
during snort restart, or set the bridge up early in snort startup
before loading rules....

or can I  create the bridge by Linux and let snort sniffing on the
bridge interface like -i br0 in IPS inline mode?

any input would be helpful.


Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20161014/660201bd/attachment.html>

More information about the Snort-devel mailing list