[Snort-users] Problem running Snort Inline

Anshuman Anil Deshmukh anshuman at ...16510...
Thu Feb 5 01:40:16 EST 2015


Hi,

We have issues running Snort inline. This is the exact problem which is mentioned here - http://www.linuxforums.org/forum/debian-linux/200751-snort-inline.html (see log below).

We have setup the Snort inline (version 2.9.7.0) which is compiled using switch --enable-sourcefire.

It says "Enabling inline operation" and then switches to IDS mode.

Our command line for running Snort:
/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort_conf_rules.conf -i eth0:eth1 -Q --pid-path=/var/run which creates the bridge automatically. Both the interfaces doesn't have IP addresses assigned.

We have already enabled following options for snort inline:

config policy_mode:inline

config daq: afpacket

config daq_mode: inline

config daq_var: buffer_size_mb=1024



preprocessor normalize_ip4

preprocessor normalize_tcp: ips ecn stream

preprocessor normalize_icmp4

preprocessor normalize_ip6

preprocessor normalize_icmp6

Under verdicts it shows 0% packets blocked. We have enabled couple of drop rules for BRUTE FORCE attack one of which is getting detected. Here is the snort output.
02/02-12:12:23.042082  [Drop] [**] [1:2019876:2] ET SCAN SSH BruteForce Tool with fake PUTTY version [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 000.000.000.00:38772 -> 00.00.00.:22 (IP addresses information removed)

But under verdicts it shows nothing blocked. Why??

Verdicts:
      Allow:      4335107 ( 59.187%)
      Block:            0 (  0.000%)

Output says:
Enabling inline operation
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!

===============================================
Information about our setup-

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

============================================================================

/usr/local/snort/bin/snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

===========================================================================

Please let me know in case any other information is required.


Regards,
Anshuman



"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150205/b61bf0a8/attachment.html>


More information about the Snort-users mailing list