[Snort-devel] Snort Inline with TCP Connection

Navdeep Uniyal Navdeep.Uniyal at neclab.eu
Mon Jul 24 10:09:03 EDT 2017


+snort-devel list

From: Navdeep Uniyal
Sent: Montag, 24. Juli 2017 15:57
To: 'Snort-users at lists.sourceforge.net'; 'Al Lewis (allewi)'
Subject: RE: [Snort-devel] Snort Inline with TCP Connection

Hi Everyone,

Could someone please help me with this issue.


Best Regards,
Navdeep

From: Navdeep Uniyal
Sent: Freitag, 21. Juli 2017 09:29
To: 'Al Lewis (allewi)'; Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Subject: RE: [Snort-devel] Snort Inline with TCP Connection

I am using this command:
src/snort -A console -Q -c snort.conf -i eth1:eth2

whereas my snort.conf file contains:

#include /home/ubuntu/SNORT/ip.rules

config daq: afpacket
config daq_mode: inline

preprocessor normalize_ip4
config min_ttl: 60
config new_ttl: 60

The issue is only with tcp connections. Ping works fine.


Regards,
Navdeep

From: Al Lewis (allewi) [mailto:allewi at cisco.com]
Sent: Donnerstag, 20. Juli 2017 17:37
To: Navdeep Uniyal; Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Subject: Re: [Snort-devel] Snort Inline with TCP Connection

How are you running snort inline? (what command are you starting snort with)



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-devel <snort-devel-bounces at lists.snort.org<mailto:snort-devel-bounces at lists.snort.org>> on behalf of Navdeep Uniyal <Navdeep.Uniyal at neclab.eu<mailto:Navdeep.Uniyal at neclab.eu>>
Date: Thursday, July 20, 2017 at 11:18 AM
To: "snort-devel at lists.snort.org<mailto:snort-devel at lists.snort.org>" <snort-devel at lists.snort.org<mailto:snort-devel at lists.snort.org>>, 'snort-users' <Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>>
Subject: [Snort-devel] Snort Inline with TCP Connection

Hello guys,

I am trying to set up snort inline while on one end of snort is my TCP server running. The other port is connected to another machine. While ping works between those, there are issues with tcp sonnection.

TCP is getting Spurious retransmission. The issue is not with the server as it works without snort perfectly well. Also, using TCP dump I could see the response ACK being  received from receiver to sender.

Please if someone could help setting up this connection.



Best Regards,
Navdeep
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170724/f1ad7f8f/attachment.html>


More information about the Snort-devel mailing list