[Snort-users] Snort in Inline Mode on CentOS 6.3

Y M snort at ...15979...
Sun Feb 10 11:54:28 EST 2013


a. How are you running Snort? In other words, what is the command you are using to run Snort?

b. Which DAQ are you using?

c. How is your drop rule setup?

d. When you stop Snort, what do the verdict statistics show?

Please when you send/reply do so for the whole group as there are awesome people here that are more experienced than I am, and other people benefit as well.

Thanks.
YM
________________________________
From: Okeowo, Ayo<mailto:gadmin at ...16076...>
Sent: ‎2/‎10/‎2013 7:38 PM
To: Y M<mailto:snort at ...15979...>
Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3

YM,

Sorry I'm just getting back to you after I posted my question. I've been
able to add additional 1 more interface and the 2 interfaces are now
in promiscuous mode. I've confirmed there are packets traversing the
interfaces but my rule is not dropping any traffic request to let's say
port 80 and 443.

What could I be possibly be missing? Still looking through though to see if
I find anything that could be causing the issue.

Your response will be much appreciated.

On Wed, Feb 6, 2013 at 10:56 AM, Y M <snort at ...15979...> wrote:

>  It will be largely dependant on the output plugin you are using. In case
> of Snorby, although I don't use it, will eventually read from a database;
> MySQL. In this case, it is a practice to let Snort output to unified2, and
> let barnyard2 parse unfied2 logs into the database, from which Snorby will
> read data.
>
> Hope you get your setup done.
>
> YM
>  ------------------------------
> From: Okeowo, Ayo <gadmin at ...16076...>
> Sent: 2/6/2013 6:43 PM
> To: Y M <snort at ...15979...>
> Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3
>
>  YM,
>
> Thanks for the response. I would have never have thought of increasing my
> interfaces (virtual interfaces) to 3 to make it work. I will try that when
> I get home and let you know.
>
> So this will allow my drop and alert rules to pop-up on Snorby? Once it
> works I will then go ahead and configure preprocessor etc.
>
> And I also hope to combine my command line with --alert-before-pass switch.
>
> On Wed, Feb 6, 2013 at 10:28 AM, Y M <snort at ...15979...> wrote:
>
>  You will need 3 interfaces. Two will be in transparent mode and the
> third will be used for management. When you run Snort in inline mode, you
> would use, for example: -i eth0:eth1, or the bridge if you will be using a
> bridge and eth3 for management.
>
> YM
>  ------------------------------
> From: Okeowo, Ayo <gadmin at ...16076...>
> Sent: 2/6/2013 6:22 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort in Inline Mode on CentOS 6.3
>
>   Hello Folks,
>
> Has anyone successfully setup Snort 2.9.4 on CentOS 6.3 with functioning
> IPS(Inline Mode) using 2 interfaces (1 for sniffing traffic and 2nd for
> management)?
>
> I'm having a few issues, although I haven't sat down to address it yet due
> to my day job sucking my time. The first issue is, if I use 1 interface and
> put Snort to Inline Mode, my drop rules don't work. Second, if I use 2
> interfaces, both Alert and Drop rules cease to work and I get nothing on
> Snorby.
>
> Any insight to this issue will be appreciated. Like I said I haven't sat
> down to troubleshoot this issue but your response will help.
>
> Thanks.
> Ayo
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130210/0d0f63bd/attachment.html>


More information about the Snort-users mailing list