[Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network
Al Lewis (allewi)
allewi at ...589...
Fri May 8 13:07:06 EDT 2015
I think your issue is caused by attempting to use the main interfaces to talk through the subinterfaces.
Are you able pass traffic with just “eth0:eth1”?
Have you tried not using the main interfaces and creating two subinterfaces on each side?
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...
From: Abdallah Jabbour [mailto:abdjbr at ...11827...]
Sent: Friday, May 08, 2015 12:16 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network
i have setup snort in inline mode and tested it by adding a rule in /etc/snort/rules/local.rules :
alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)
i am running snort as a service and i added two pairs of network interfaces to to /etc/sysconfig/snort
where eth0.1 and eth1.1 does not have IP address and have enabled promiscuous mode for all network interfaces
but in /var/log/snort/alert i get alert from previously defined rule only when i ping an external host or when i ping one of the interfaces of the snort machine
i can confirm than snort is running in inline mode and acquiring network traffic from all network interfaces from /var/log/messages
afpacket DAQ configured to inline.
Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
Initializing daemon mode
Daemon initialized, signaled parent pid: 1726
Reload thread starting...
Reload thread started, thread 0x7f2f0055c700 (1746)
Checking PID path...
PID path stat checked out ok, PID path set to /var/run/
Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"
--== Initialization Complete ==--
Commencing packet processing (pid=1745)
device eth1.1 entered promiscuous mode
device eth1 entered promiscuous mode
device eth0.1 entered promiscuous mode
device eth0 entered promiscuous mode
i cannot get any traffic local hosts pinging each other ( on the internal network ) .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users