[Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Al Lewis (allewi) allewi at ...589...
Fri May 8 13:07:06 EDT 2015


I think your issue is caused by attempting to use the main interfaces to talk through the subinterfaces.

Are you able pass traffic with just “eth0:eth1”?

Have you tried not using the main interfaces and creating two subinterfaces on each side?



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Abdallah Jabbour [mailto:abdjbr at ...11827...]
Sent: Friday, May 08, 2015 12:16 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Hello ,
i have setup snort in inline mode and tested it by adding  a rule in /etc/snort/rules/local.rules :
alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)

i am running snort as a service and i added two pairs of network interfaces to to /etc/sysconfig/snort
INTERFACE="eth0:eth0.1::eth1:eth1.1"
where eth0.1 and eth1.1 does not have IP address and have enabled promiscuous mode for all network interfaces
but in /var/log/snort/alert i  get alert from previously defined rule only when i ping an external host or when i ping one of the interfaces of the snort machine
i can confirm than snort is running in inline mode and acquiring network traffic from all network interfaces from /var/log/messages

 afpacket DAQ configured to inline.
 Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
 Initializing daemon mode
 Daemon initialized, signaled parent pid: 1726
 Reload thread starting...
 Reload thread started, thread 0x7f2f0055c700 (1746)
 Checking PID path...
PID path stat checked out ok, PID path set to /var/run/
 Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"

        --== Initialization Complete ==--
 Commencing packet processing (pid=1745)
 Decoding Ethernet
 device eth1.1 entered promiscuous mode
 device eth1 entered promiscuous mode
 device eth0.1 entered promiscuous mode
 device eth0 entered promiscuous mode
i cannot get any traffic local hosts pinging each other ( on the internal network ) .
please assist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/4c2ebc06/attachment.html>


More information about the Snort-users mailing list