[Snort-users] snort inline mode in CentOS 6.6

James Lay jlay at ...13475...
Sat May 2 09:25:22 EDT 2015


On Sat, 2015-05-02 at 12:46 +0200, Abdallah Jabbour wrote:
> Hello , 
> 
> 
> 
> i have installed snort on CentOS6.6 in a KVM Guest machine , it a
> router/ firewall using iptables , i followed the installation and
> configuration steps and tested the configuration file validity ( using
> -T command line arg ) 
> 
> 
> 
> i enabled inline mode :
> 
> 
> in configuration file : i added and uncommented the following lines : 
> 
>  config policy_mode:inline 
> 
>  config daq: afpacket
>  config daq_dir: /usr/lib64/daq/
>  config daq_mode: inline
>  config daq_var: buffer_size_mb=128
> 
> 
> and also in /etc/sysconfig/snort 
> 
> 
> INTERFACE=eth0:eth1
> 
> 
> and start the snort service 
> 
> 
> the network connection ( locally and to the internet ) is dropped i
> cannot ping any host on the network . 
> 
> 
> i added some rules to /etc/snort/rules/local.rules 
> 
> to see if alerting is working , i can see alerts being written
> to /var/log/snort/alert after i reboot the machine ( since there is no
> network connectivity ) .
> 
> 
> i know that inline mode will put the network interfaces eth0 and eth1
> in promiscuous mode and will bridge the network connection to get the
> network traffic . is there anything i am missing my setup  ? 
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


To eth0 and eth1 have IP addresses assigned? 

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150502/c27a8f69/attachment.html>


More information about the Snort-users mailing list