[Snort-users] Snort-users Digest, Vol 108, Issue 2

Abdallah Jabbour abdjbr at ...11827...
Sun May 3 18:55:52 EDT 2015


all the lab is on a KVM host with regular bridge ( bridge-utils on CentOS )
. it seems that whenever the snort service start it will bridge the
interfaces together causing the network connections to drop even if i
specify a non-ip interfaces :
INTERFACE=eth0.1:eth1.1
where eth0.1 and eth1.1 are another two virtual interfaces on the snort
guest with no ip address .

i don't have port mirroring in place ( that why i tried inline mode ) .

On Mon, May 4, 2015 at 12:34 AM, Abdallah Jabbour <abdjbr at ...11827...> wrote:

> yes they do !
>
> On Sun, May 3, 2015 at 2:00 PM, <snort-users-request at lists.sourceforge.net
> > wrote:
>
>> Send Snort-users mailing list submissions to
>>         snort-users at lists.sourceforge.net
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://lists.sourceforge.net/lists/listinfo/snort-users
>> or, via email, send a message with subject or body 'help' to
>>         snort-users-request at lists.sourceforge.net
>>
>> You can reach the person managing the list at
>>         snort-users-owner at lists.sourceforge.net
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-users digest..."
>>
>>
>> When responding, please don't respond with the entire Digest.  Please
>> trim your response.
>>
>> Today's Topics:
>>
>>    1. Re: snort inline mode in CentOS 6.6 (James Lay)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sat, 02 May 2015 07:25:22 -0600
>> From: James Lay <jlay at ...13475...>
>> Subject: Re: [Snort-users] snort inline mode in CentOS 6.6
>> To: snort-users at lists.sourceforge.net
>> Message-ID: <1430573122.4447.1.camel at ...16724...>
>> Content-Type: text/plain; charset="utf-8"
>>
>> On Sat, 2015-05-02 at 12:46 +0200, Abdallah Jabbour wrote:
>> > Hello ,
>> >
>> >
>> >
>> > i have installed snort on CentOS6.6 in a KVM Guest machine , it a
>> > router/ firewall using iptables , i followed the installation and
>> > configuration steps and tested the configuration file validity ( using
>> > -T command line arg )
>> >
>> >
>> >
>> > i enabled inline mode :
>> >
>> >
>> > in configuration file : i added and uncommented the following lines :
>> >
>> >  config policy_mode:inline
>> >
>> >  config daq: afpacket
>> >  config daq_dir: /usr/lib64/daq/
>> >  config daq_mode: inline
>> >  config daq_var: buffer_size_mb=128
>> >
>> >
>> > and also in /etc/sysconfig/snort
>> >
>> >
>> > INTERFACE=eth0:eth1
>> >
>> >
>> > and start the snort service
>> >
>> >
>> > the network connection ( locally and to the internet ) is dropped i
>> > cannot ping any host on the network .
>> >
>> >
>> > i added some rules to /etc/snort/rules/local.rules
>> >
>> > to see if alerting is working , i can see alerts being written
>> > to /var/log/snort/alert after i reboot the machine ( since there is no
>> > network connectivity ) .
>> >
>> >
>> > i know that inline mode will put the network interfaces eth0 and eth1
>> > in promiscuous mode and will bridge the network connection to get the
>> > network traffic . is there anything i am missing my setup  ?
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>> To eth0 and eth1 have IP addresses assigned?
>>
>> James
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>
>> ------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>
>>
>> End of Snort-users Digest, Vol 108, Issue 2
>> *******************************************
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150504/01273c2a/attachment.html>


More information about the Snort-users mailing list