[Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Abdallah Jabbour abdjbr at ...11827...
Fri May 8 12:16:13 EDT 2015


Hello ,

i have setup snort in inline mode and tested it by adding  a rule in
/etc/snort/rules/local.rules :
alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)


i am running snort as a service and i added two pairs of network interfaces
to to /etc/sysconfig/snort
INTERFACE="eth0:eth0.1::eth1:eth1.1"
where eth0.1 and eth1.1 does not have IP address and have enabled
promiscuous mode for all network interfaces

but in /var/log/snort/alert i  get alert from previously defined rule only
when i ping an external host or when i ping one of the interfaces of the
snort machine

i can confirm than snort is running in inline mode and acquiring network
traffic from all network interfaces from /var/log/messages

 afpacket DAQ configured to inline.
 Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
 Initializing daemon mode
 Daemon initialized, signaled parent pid: 1726
 Reload thread starting...
 Reload thread started, thread 0x7f2f0055c700 (1746)
 Checking PID path...
PID path stat checked out ok, PID path set to /var/run/
 Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"

        --== Initialization Complete ==--
 Commencing packet processing (pid=1745)
 Decoding Ethernet
 device eth1.1 entered promiscuous mode
 device eth1 entered promiscuous mode
 device eth0.1 entered promiscuous mode
 device eth0 entered promiscuous mode

i cannot get any traffic local hosts pinging each other ( on the internal
network ) .

please assist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/f4035511/attachment.html>


More information about the Snort-users mailing list