[Snort-users] Snort with AFPacket

Sec_Aficionado secaficionado at ...11827...
Mon Nov 3 19:16:29 EST 2014

I'm not sure this is what you mean, please let me know if you need more info:
The box is acting as a firewall between two subnets.

eth1 is connected to a LAN with IP addresses with an address of

eth0 is acting as a the DHCP server for and has an address of

Before snort runs, this works OK and the two subnets are separate from each other. When snort is running, though, the box becomes transparent and devices in both subnets can see each other. I did not expect that, but it is an effect of the bridging.

Everything returns to normal when I stop snort.

> On Nov 3, 2014, at 5:37 PM, James Lay <jlay at ...13475...> wrote:
>> On 2014-11-03 15:24, Sec Aficionado wrote:
>> Hi there,
>> Im following the steps outlined in the guide "Snort IPS using DAQ
>> AFPacket". I compiled snort with all the requirements and I am using
>> pulledpork for the rules.
>> When I start snort with
>> snort -c <conf path>/snort.conf -i eth1:eth0 -Q
>> I do get the alerts and snort stops some traffic as expected. 
>> However,
>> other functions running in that box are bypassed. The machine running
>> snort has a DHCP server, but when snort is running the DHCP server is
>> bypassed, so machines connected down the line get addresses from the
>> next DHCP server higher up in the hierarchy.
>> I want to confirm that this is the expected behavior. I did not 
>> expect
>> the other functions to be bypassed, although in retrospective it 
>> makes
>> some sense.
>> Is there some documentation, in addition to the manual, about this
>> behavior?
>> Thanks!
> How are the above NIC's configured?
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list