[Snort-users] Snort with AFPacket

Sec Aficionado secaficionado at ...11827...
Mon Nov 3 17:24:16 EST 2014


Hi there,

I'm following the steps outlined in the guide "Snort IPS using DAQ
AFPacket". I compiled snort with all the requirements and I am using
pulledpork for the rules.

When I start snort with
snort -c <conf path>/snort.conf -i eth1:eth0 -Q
I do get the alerts and snort stops some traffic as expected. However,
other functions running in that box are bypassed. The machine running snort
has a DHCP server, but when snort is running the DHCP server is bypassed,
so machines connected down the line get addresses from the next DHCP server
higher up in the hierarchy.

I want to confirm that this is the expected behavior. I did not expect the
other functions to be bypassed, although in retrospective it makes some
sense.

Is there some documentation, in addition to the manual, about this behavior?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141103/4576d194/attachment.html>


More information about the Snort-users mailing list