[Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Abdallah Jabbour abdjbr at ...11827...
Fri May 8 14:27:32 EDT 2015


also if i add a subinterface andin /etc/sysconfig/snort  i amend the
INTERFACE directive :
INTERFACE="eth0:eth0:1"

and start snort will through an error :

FATAL ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize:
Couldn't create the bridge between eth0 and eth0!

it seems that snort does not parse the subinterface in the INTERFACES
directive

On Fri, May 8, 2015 at 8:01 PM, Abdallah Jabbour <abdjbr at ...11827...> wrote:

> there is no subinterface , all interfaces are main two with IP { eth0 (
> internal interface ) eth1 ( external interface ) } and the others without
> IP ( eth0.1 and eth1.1 ) ,  i just manipulated the names of the interface
> (instead of eth3 and eth4 i used eth0.1 and eth1.1 ) the subinterface would
> be named : eth0:1
>
> i tried to use eth0:eth1 ( internal:external ) but this will cause to drop
> connection with the internet . and if i  used this i also would get only
> traffic destined to the internet
>
> On Fri, May 8, 2015 at 7:07 PM, Al Lewis (allewi) <allewi at ...589...>
> wrote:
>
>>  I think your issue is caused by attempting to use the main interfaces
>> to talk through the subinterfaces.
>>
>>
>>
>> Are you able pass traffic with just “eth0:eth1”?
>>
>>
>>
>> Have you tried not using the main interfaces and creating two
>> subinterfaces on each side?
>>
>>
>>
>>
>>
>>
>>
>> Albert Lewis
>>
>> QA Software Engineer
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>>
>> Phone: (office) 443.430.7112
>>
>> Email: allewi at ...589...
>>
>>
>>
>> *From:* Abdallah Jabbour [mailto:abdjbr at ...11827...]
>> *Sent:* Friday, May 08, 2015 12:16 PM
>> *To:* snort-users at lists.sourceforge.net
>> *Subject:* [Snort-users] snort inline mode does not capture traffic
>> destined to other machine on the internal network
>>
>>
>>
>> Hello ,
>>
>> i have setup snort in inline mode and tested it by adding  a rule in
>> /etc/snort/rules/local.rules :
>> alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)
>>
>>   i am running snort as a service and i added two pairs of network
>> interfaces to to /etc/sysconfig/snort
>> INTERFACE="eth0:eth0.1::eth1:eth1.1"
>>
>> where eth0.1 and eth1.1 does not have IP address and have enabled
>> promiscuous mode for all network interfaces
>>
>> but in /var/log/snort/alert i  get alert from previously defined rule
>> only when i ping an external host or when i ping one of the interfaces of
>> the snort machine
>>
>> i can confirm than snort is running in inline mode and acquiring network
>> traffic from all network interfaces from /var/log/messages
>>
>>  afpacket DAQ configured to inline.
>>  Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
>>  Initializing daemon mode
>>  Daemon initialized, signaled parent pid: 1726
>>  Reload thread starting...
>>  Reload thread started, thread 0x7f2f0055c700 (1746)
>>  Checking PID path...
>> PID path stat checked out ok, PID path set to /var/run/
>>  Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"
>>
>>         --== Initialization Complete ==--
>>  Commencing packet processing (pid=1745)
>>  Decoding Ethernet
>>  device eth1.1 entered promiscuous mode
>>  device eth1 entered promiscuous mode
>>  device eth0.1 entered promiscuous mode
>>  device eth0 entered promiscuous mode
>>
>> i cannot get any traffic local hosts pinging each other ( on the internal
>> network ) .
>>
>> please assist
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150508/0e9c91ba/attachment.html>


More information about the Snort-users mailing list