[Snort-users] Inline with DAQ and afpacket only passing broadcasts

Avery Rozar asrozar at ...131...
Wed May 9 09:27:24 EDT 2012


Hello all,
Yes this is a re-send, I'm having a hell of time finding any resolution to this, any help would be greatly appreciated.

I have setup snort inline using this method.

downloaded Libdnet, Barnyard2, and DAQ, and installed them.


./configure --enable-64bit-gcc --enable-inline-init-failopen --enable-sourcefire 
--with-daq-includes=/usr/local/include/dnet/ 
--with-daq-libraries=/usr/local/lib/


make ; make install

copied and setup snort.config, and rules etc... to /etc/snort/


/sbin/ifconfig eth1 0.0.0.0 promisc up
/sbin/ifconfig eth2 0.0.0.0 promisc up

service iptables off (for now)

snort --daq afpacket -i eth1:eth2 -Q -c /etc/snort/snort.conf

I'm using wire-shark on two servers, one behind the IPS, and one in front. I only see broadcast traffic from each host. For example, from host a, I 
will bing host b, and the other way, no reply. If host a pings the 
broadcast address, host b will see this, and the other way. Host b's dns request never makes it to host a (my DNS server). Not sure where to 
look, would this be a daq issue, or snort.conf issue?

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120509/69b6d29b/attachment.html>


More information about the Snort-users mailing list