[Snort-users] Question about Inline mode

John Liss john at ...15436...
Mon Dec 5 12:00:38 EST 2011

> Helpful as they were, I still have the following questions.
> When using either NFQ or the DAQ modules, are the interfaces bonded 
> together?  I completely understand that the Management interface is 
> assigned an IP Address, a gateway and a network (subnet mask).
> What happens to the two interfaces used in inline mode?  If I place 
> the sensor inline, are the interfaces numbered?  DO I need to fully 
> provide networking (routing) between the interfaces?

With --daq afpacket, the pair of interfaces become a bridge.

Setup on ubuntu 10.04:

The interface setup:

auto eth0
iface eth0 inet manual
         up ifconfig $IFACE <your mgt ip> up

auto eth1
iface eth1 inet manual
         up ifconfig $IFACE up
         up ip link set $IFACE promisc on
         down ip link set $IFACE promisc off
         down ifconfig $IFACE down

auto eth2
iface eth2 inet manual
         up ifconfig $IFACE up
         up ip link set $IFACE promisc on
         down ip link set $IFACE promisc off
         down ifconfig $IFACE down

Running snort:
/usr/local/bin/snort --daq afpacket -Q -c /etc/snort/snort.conf -i 
eth1:eth2 -D

Network on eth1, becomes the same network on eth2, known as a bridge.

It works wonderfully and drops packets as advertised.

>>> Does the inline mode require two interfaces?
>>> Can Snort support multiple networks, simultaneously?  Does this reduce
>>> the throughput capability of the monitor?
Inline requires two interfaces.

Internet  router <-> eth1 <- snort -> eth2 <-> firewall <-> internal.

Yes you can run multiple networks on a single box.
You just need enough horse power in the box for snort to keep up with 
the traffic, and enough interfaces to act as bridges.

Example:  You have a monster box with 10 network cards in it, and enough 
cpu/memory to run multiple instances of snort.
You would just run snort over the interfaces:

Network setup:
eth0 = management.
eth1:eth2 = first bridge.
eth3:eth4 = second bridge.
eth5:eth6 = third bridge.
eth7:eth8 = fourth bridge.

Snort setup:
/usr/local/bin/snort --daq afpacket -Q -c /etc/snort/snort1.conf -i 
eth1:eth2 -D
/usr/local/bin/snort --daq afpacket -Q -c /etc/snort/snort2.conf -i 
eth3:eth4 -D
/usr/local/bin/snort --daq afpacket -Q -c /etc/snort/snort3.conf -i 
eth5:eth6 -D

I personally would still tend to lean towards 4 individual boxes in 
production environments.  That way if you loose a box for whatever 
reason, one network segment is only affected.

Development or test networks where traffic isn't critical, sure, toss 
them all on one box.  (But who has one of those?  My networks are all 
classified as must have up.)

>> Multiple networks can be supported but of course band width is the
>> consideration here along with the strength of the Snort sensor. There
>> are better people on this list to answer than me but depending on the
>> size/bandwidth considerations you may want to consider using 4 sensors
>> that report to a main server for analysis. Like I said, others on this
>> list can help there as I have no experience here. Search the Google
>> Groups list too.
> Four sensors and a Main Server is an exceptional idea.  Thank you for 
> that.
> From reading the above sites listed, it would seem that afpacket is 
> the method to use for inline use.  Is there a consensus here?
>> Hope this serves at least as a start to answer your questions.
>> Bill

More information about the Snort-users mailing list