[Snort-users] Snort in Inline Mode on CentOS 6.3
snort at ...15979...
Wed Feb 6 10:56:40 EST 2013
It will be largely dependant on the output plugin you are using. In case of Snorby, although I don't use it, will eventually read from a database; MySQL. In this case, it is a practice to let Snort output to unified2, and let barnyard2 parse unfied2 logs into the database, from which Snorby will read data.
Hope you get your setup done.
From: Okeowo, Ayo<mailto:gadmin at ...16076...>
Sent: 2/6/2013 6:43 PM
To: Y M<mailto:snort at ...15979...>
Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
Thanks for the response. I would have never have thought of increasing my
interfaces (virtual interfaces) to 3 to make it work. I will try that when
I get home and let you know.
So this will allow my drop and alert rules to pop-up on Snorby? Once it
works I will then go ahead and configure preprocessor etc.
And I also hope to combine my command line with --alert-before-pass switch.
On Wed, Feb 6, 2013 at 10:28 AM, Y M <snort at ...15979...> wrote:
> You will need 3 interfaces. Two will be in transparent mode and the
> third will be used for management. When you run Snort in inline mode, you
> would use, for example: -i eth0:eth1, or the bridge if you will be using a
> bridge and eth3 for management.
> From: Okeowo, Ayo <gadmin at ...16076...>
> Sent: 2/6/2013 6:22 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort in Inline Mode on CentOS 6.3
> Hello Folks,
> Has anyone successfully setup Snort 2.9.4 on CentOS 6.3 with functioning
> IPS(Inline Mode) using 2 interfaces (1 for sniffing traffic and 2nd for
> I'm having a few issues, although I haven't sat down to address it yet due
> to my day job sucking my time. The first issue is, if I use 1 interface and
> put Snort to Inline Mode, my drop rules don't work. Second, if I use 2
> interfaces, both Alert and Drop rules cease to work and I get nothing on
> Any insight to this issue will be appreciated. Like I said I haven't sat
> down to troubleshoot this issue but your response will help.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users