[Snort-users] IPS Inline Mode

Erdem Çulcu erdem at ...16870...
Mon Jun 23 02:55:41 EDT 2014


[image: Inline image 1]
We have 3-4 switches and all switches has 5 pc as average. Additional 7-8
PC connect with WLAN.

I see traffic but ı cant see TCP traffic.


On Fri, Jun 20, 2014 at 7:54 PM, Y M <snort at ...15979...> wrote:

> How are the "other machines" and Snort are connected (same switch)? Is the
> interface on Snort connected to mirror port or something similar on the
> switch? Try running tcpdump and view the packets to verify if you see
> traffic from other machines. If not, then you need to configure mirroring
> port on the switch, to which the NIC on Snort box will be connected
> (promiscuous).
>
> If you get the first problem sorted out, use the guide at
> http://s3.amazonaws.com/snort-org/www/assets/229/ids2ips.txt to help you
> with the inline mode using NFQ.
>
> YM
>
> ------------------------------
> Date: Fri, 20 Jun 2014 11:51:04 +0300
> From: erdem at ...16870...
>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] IPS Inline Mode
>
> Hi,
>
> I am new on Snort
>
> I installed with guide and run IDS mode.
>
> I have two problems.
>
> Firstly, Snort handle only host machine packets. I write some rules
> example:
> alert tcp any any -> any any (content:"www.facebook.com";msg:"Facebook
> Accessing";sid:1000001;)
>
> This rule works only machine which installed Snort. Other machines
> accesses are not handled.
>
> Other problem is Inline Mode.
>
> I run with this command
>
> snort --daq nfq -Q -c /etc/snort/snort.conf  --daq-dir /usr/local/lib/daq
> --daq-var device=eth0 -i eth0
>
> Snort gives this error
>
> ERROR: Can't initialize DAQ nfq (-7) - The nfq DAQ module does not support
> interface or readback mode!
>
> If I remove "-i eth0", Snort works but do not handle any packets
>
> Thanks for replies
>
> Good Works
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems Open Source.
> Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for
> Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options
> or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users
> <https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>
> list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140623/825e09e2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Topology.jpg
Type: image/jpeg
Size: 56747 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140623/825e09e2/attachment.jpg>


More information about the Snort-users mailing list