[Snort-users] trouble with inline mode

VM PC packetstack at ...11827...
Wed Aug 27 10:06:27 EDT 2014


Hello Richard,

If possible, add another interface to your sensor for management and remove
the IP addresses from the interfaces used for inline operation. I have had
many problems before when doing testing and using only two interfaces.

The thing that stands out is that you are trying to communicate between two
different networks. Are you also routing/nat on that snort sensor?


On Wed, Aug 27, 2014 at 9:52 AM, Richard Smollett <yawningdogge at ...11827...>
wrote:

> IP setup looks like this.
>
> root at ...2306...:~# ifconfig
> eth0      Link encap:Ethernet  HWaddr 08:00:27:fd:b5:c4
>           inet addr:*172.28.61.104*  Bcast:172.28.61.127  Mask:
> *255.255.255.128*
>           inet6 addr: fe80::a00:27ff:fefd:b5c4/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:472894 errors:5 dropped:15 overruns:0 frame:0
>           TX packets:15266 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:129789824 (123.7 MiB)  TX bytes:2332609 (2.2 MiB)
>           Interrupt:10 Base address:0xd020
>
> eth1      Link encap:Ethernet  HWaddr 08:00:27:97:66:ff
>           inet addr:*192.168.123.1*  Bcast:192.168.123.255  Mask:
> *255.255.255.0*
>           inet6 addr: fe80::a00:27ff:fe97:66ff/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:14 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:438796 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:962 (962.0 B)  TX bytes:123829936 (118.0 MiB)
>           Interrupt:9 Base address:0xd240
>
> The eth0 interface is the outside and eth1 is inside. I'm starting snort
> with this command.
>
> snort --daq afpacket -i eth0:eth1 --daq-mode inline -c
> /etc/snort/snort.conf
>
> But I still cannot ping an inside host from the outside. I can ping
> between the snort device and inside/ouside hosts. If I ping an inside host
> from the outside, tcpdump shows the icmp echo request arriving but no
> reply. Inside host ip is 192.168.123.2.
>
> Can anyone recommend some other troubleshooting steps or suggest where I
> may have left anything out of the setup?
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/2841d616/attachment.html>


More information about the Snort-users mailing list