[Snort-users] Inline with DAQ and afpacket only passing broadcasts
asrozar at ...131...
Fri May 4 12:21:37 EDT 2012
I have setup snort inline using this method.
downloaded Libdnet, Barnyard2, and DAQ, and installed them.
./configure --enable-64bit-gcc --enable-inline-init-failopen --enable-sourcefire --with-daq-includes=/usr/local/include/dnet/ --with-daq-libraries=/usr/local/lib/
make ; make install
copied and setup snort.config, and rules etc... to /etc/snort/
/sbin/ifconfig eth1 0.0.0.0 promisc up
/sbin/ifconfig eth2 0.0.0.0 promisc up
service iptables off (for now)
snort --daq afpacket -i eth1:eth2 -Q -c /etc/snort/snort.conf
I'm using wire-shark on two servers, one behind the IPS, and one in front. I only see broadcast traffic from each host. For example, from host a, I will bing host b, and the other way, no reply. If host a pings the broadcast address, host b will see this, and the other way. Host b's dns request never makes it to host a (my DNS server). Not sure where to look, would this be a daq issue, or snort.conf issue?
Thanks in advance.
A Government big enough to give you every thing you want, is big enough to take every thing you have.~ Thomas Jefferson
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users