[Snort-users] Inline with DAQ and afpacket only passing broadcasts

Avery Rozar asrozar at ...131...
Fri May 4 12:21:37 EDT 2012

Hello all,
I have setup snort inline using this method.

downloaded Libdnet, Barnyard2, and DAQ, and installed them.

./configure --enable-64bit-gcc --enable-inline-init-failopen --enable-sourcefire --with-daq-includes=/usr/local/include/dnet/ --with-daq-libraries=/usr/local/lib/

make ; make install

copied and setup snort.config, and rules etc... to /etc/snort/

/sbin/ifconfig eth1 promisc up
/sbin/ifconfig eth2 promisc up

service iptables off (for now)

snort --daq afpacket -i eth1:eth2 -Q -c /etc/snort/snort.conf

I'm using wire-shark on two servers, one behind the IPS, and one in front. I only see broadcast traffic from each host. For example, from host a, I will bing host b, and the other way, no reply. If host a pings the broadcast address, host b will see this, and the other way. Host b's dns request never makes it to host a (my DNS server). Not sure where to look, would this be a daq issue, or snort.conf issue?

Thanks in advance.

A Government big enough to give you every thing you want, is big enough to take every thing you have.~ Thomas Jefferson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120504/3cf11227/attachment.html>

More information about the Snort-users mailing list