[Snort-users] Snort with AFPacket

waldo kitty wkitty42 at ...14940...
Mon Nov 3 21:22:41 EST 2014

On 11/3/2014 8:17 PM, James Lay wrote:
> Indeed that is afpacket is supposed to function.  Ideally you're on a machine
> with three NIC's..one for management, and the other two acting as a bridge.
> Look at NFQ if you're going to be running this on a firewall device.

actually, the machine in question can have 2 to 4 NICs... none are for 
management... one is for the connection to the WAN and the other three are for 
up to 3 internal LANs... i believe that the OP is bridging the WAN NIC to one of 
the internal LAN NICs and that they have only two NICs in their machine...

if i'm reading this correctly, they've effectively bypassed everything in the 
middle between the two NICs that is supposed to be there protecting their 
internal networks from the WAN traffic... all of that protection is done via 
iptables and specific handling of certain traffic... snort normally looks at 
their WAN interface and sees all the traffic in front of iptables before 
iptables has any chance to handle it...

  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list