[Snort-users] Snort-users Digest, Vol 108, Issue 2

Al Lewis (allewi) allewi at ...589...
Sun May 3 19:13:49 EDT 2015


Hello,

                What is the command that you are using to start snort? Please see the section in the daq readme for AFPacket also.

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Abdallah Jabbour [mailto:abdjbr at ...11827...]
Sent: Sunday, May 03, 2015 6:56 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort-users Digest, Vol 108, Issue 2

all the lab is on a KVM host with regular bridge ( bridge-utils on CentOS ) . it seems that whenever the snort service start it will bridge the interfaces together causing the network connections to drop even if i specify a non-ip interfaces :
INTERFACE=eth0.1:eth1.1
where eth0.1 and eth1.1 are another two virtual interfaces on the snort guest with no ip address .
i don't have port mirroring in place ( that why i tried inline mode ) .

On Mon, May 4, 2015 at 12:34 AM, Abdallah Jabbour <abdjbr at ...11827...<mailto:abdjbr at ...11827...>> wrote:
yes they do !

On Sun, May 3, 2015 at 2:00 PM, <snort-users-request at lists.sourceforge.net<mailto:snort-users-request at lists.sourceforge.net>> wrote:
Send Snort-users mailing list submissions to
        snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
        snort-users-request at lists.sourceforge.net<mailto:snort-users-request at lists.sourceforge.net>

You can reach the person managing the list at
        snort-users-owner at lists.sourceforge.net<mailto:snort-users-owner at lists.sourceforge.net>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


When responding, please don't respond with the entire Digest.  Please trim your response.

Today's Topics:

   1. Re: snort inline mode in CentOS 6.6 (James Lay)


----------------------------------------------------------------------

Message: 1
Date: Sat, 02 May 2015 07:25:22 -0600
From: James Lay <jlay at ...13475...<mailto:jlay at ...13475...>>
Subject: Re: [Snort-users] snort inline mode in CentOS 6.6
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Message-ID: <1430573122.4447.1.camel at ...16724...<mailto:1430573122.4447.1.camel at ...16724...>>
Content-Type: text/plain; charset="utf-8"

On Sat, 2015-05-02 at 12:46 +0200, Abdallah Jabbour wrote:
> Hello ,
>
>
>
> i have installed snort on CentOS6.6 in a KVM Guest machine , it a
> router/ firewall using iptables , i followed the installation and
> configuration steps and tested the configuration file validity ( using
> -T command line arg )
>
>
>
> i enabled inline mode :
>
>
> in configuration file : i added and uncommented the following lines :
>
>  config policy_mode:inline
>
>  config daq: afpacket
>  config daq_dir: /usr/lib64/daq/
>  config daq_mode: inline
>  config daq_var: buffer_size_mb=128
>
>
> and also in /etc/sysconfig/snort
>
>
> INTERFACE=eth0:eth1
>
>
> and start the snort service
>
>
> the network connection ( locally and to the internet ) is dropped i
> cannot ping any host on the network .
>
>
> i added some rules to /etc/snort/rules/local.rules
>
> to see if alerting is working , i can see alerts being written
> to /var/log/snort/alert after i reboot the machine ( since there is no
> network connectivity ) .
>
>
> i know that inline mode will put the network interfaces eth0 and eth1
> in promiscuous mode and will bridge the network connection to get the
> network traffic . is there anything i am missing my setup  ?
>
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


To eth0 and eth1 have IP addresses assigned?

James
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest, Vol 108, Issue 2
*******************************************


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150503/c6eafaab/attachment.html>


More information about the Snort-users mailing list