[Snort-users] Inline with DAQ and afpacket only passing broadcasts
asrozar at ...131...
Wed May 9 09:27:24 EDT 2012
Yes this is a re-send, I'm having a hell of time finding any resolution to this, any help would be greatly appreciated.
I have setup snort inline using this method.
downloaded Libdnet, Barnyard2, and DAQ, and installed them.
./configure --enable-64bit-gcc --enable-inline-init-failopen --enable-sourcefire
make ; make install
copied and setup snort.config, and rules etc... to /etc/snort/
/sbin/ifconfig eth1 0.0.0.0 promisc up
/sbin/ifconfig eth2 0.0.0.0 promisc up
service iptables off (for now)
snort --daq afpacket -i eth1:eth2 -Q -c /etc/snort/snort.conf
I'm using wire-shark on two servers, one behind the IPS, and one in front. I only see broadcast traffic from each host. For example, from host a, I
will bing host b, and the other way, no reply. If host a pings the
broadcast address, host b will see this, and the other way. Host b's dns request never makes it to host a (my DNS server). Not sure where to
look, would this be a daq issue, or snort.conf issue?
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users