[Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Abdallah Jabbour abdjbr at ...11827...
Fri May 8 14:01:24 EDT 2015


there is no subinterface , all interfaces are main two with IP { eth0 (
internal interface ) eth1 ( external interface ) } and the others without
IP ( eth0.1 and eth1.1 ) ,  i just manipulated the names of the interface
(instead of eth3 and eth4 i used eth0.1 and eth1.1 ) the subinterface would
be named : eth0:1

i tried to use eth0:eth1 ( internal:external ) but this will cause to drop
connection with the internet . and if i  used this i also would get only
traffic destined to the internet

On Fri, May 8, 2015 at 7:07 PM, Al Lewis (allewi) <allewi at ...589...> wrote:

>  I think your issue is caused by attempting to use the main interfaces to
> talk through the subinterfaces.
>
>
>
> Are you able pass traffic with just “eth0:eth1”?
>
>
>
> Have you tried not using the main interfaces and creating two
> subinterfaces on each side?
>
>
>
>
>
>
>
> Albert Lewis
>
> QA Software Engineer
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589...
>
>
>
> *From:* Abdallah Jabbour [mailto:abdjbr at ...11827...]
> *Sent:* Friday, May 08, 2015 12:16 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] snort inline mode does not capture traffic
> destined to other machine on the internal network
>
>
>
> Hello ,
>
> i have setup snort in inline mode and tested it by adding  a rule in
> /etc/snort/rules/local.rules :
> alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)
>
>   i am running snort as a service and i added two pairs of network
> interfaces to to /etc/sysconfig/snort
> INTERFACE="eth0:eth0.1::eth1:eth1.1"
>
> where eth0.1 and eth1.1 does not have IP address and have enabled
> promiscuous mode for all network interfaces
>
> but in /var/log/snort/alert i  get alert from previously defined rule only
> when i ping an external host or when i ping one of the interfaces of the
> snort machine
>
> i can confirm than snort is running in inline mode and acquiring network
> traffic from all network interfaces from /var/log/messages
>
>  afpacket DAQ configured to inline.
>  Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
>  Initializing daemon mode
>  Daemon initialized, signaled parent pid: 1726
>  Reload thread starting...
>  Reload thread started, thread 0x7f2f0055c700 (1746)
>  Checking PID path...
> PID path stat checked out ok, PID path set to /var/run/
>  Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"
>
>         --== Initialization Complete ==--
>  Commencing packet processing (pid=1745)
>  Decoding Ethernet
>  device eth1.1 entered promiscuous mode
>  device eth1 entered promiscuous mode
>  device eth0.1 entered promiscuous mode
>  device eth0 entered promiscuous mode
>
> i cannot get any traffic local hosts pinging each other ( on the internal
> network ) .
>
> please assist
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/6236735d/attachment.html>


More information about the Snort-users mailing list