[Snort-users] Snort with AFPacket
wkitty42 at ...14940...
Mon Nov 3 21:22:41 EST 2014
On 11/3/2014 8:17 PM, James Lay wrote:
> Indeed that is afpacket is supposed to function. Ideally you're on a machine
> with three NIC's..one for management, and the other two acting as a bridge.
> Look at NFQ if you're going to be running this on a firewall device.
actually, the machine in question can have 2 to 4 NICs... none are for
management... one is for the connection to the WAN and the other three are for
up to 3 internal LANs... i believe that the OP is bridging the WAN NIC to one of
the internal LAN NICs and that they have only two NICs in their machine...
if i'm reading this correctly, they've effectively bypassed everything in the
middle between the two NICs that is supposed to be there protecting their
internal networks from the WAN traffic... all of that protection is done via
iptables and specific handling of certain traffic... snort normally looks at
their WAN interface and sees all the traffic in front of iptables before
iptables has any chance to handle it...
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users