[Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Gregory W. MacPherson greg at ...15873...
Sat May 9 12:30:24 EDT 2015


Aren't subinterfaces supposed to be defined with a period (.) rather
than with a colon (:)?

On or about 2015.05.08 20:27:32 +0200, Abdallah Jabbour (abdjbr at ...11827...) said:

> also if i add a subinterface andin /etc/sysconfig/snort  i amend the
> INTERFACE directive :
> INTERFACE="eth0:eth0:1"
> 
> and start snort will through an error :
> 
> FATAL ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize:
> Couldn't create the bridge between eth0 and eth0!
> 
> it seems that snort does not parse the subinterface in the INTERFACES
> directive
> 
> On Fri, May 8, 2015 at 8:01 PM, Abdallah Jabbour <abdjbr at ...11827...> wrote:
> 
> > there is no subinterface , all interfaces are main two with IP { eth0 (
> > internal interface ) eth1 ( external interface ) } and the others without
> > IP ( eth0.1 and eth1.1 ) ,  i just manipulated the names of the interface
> > (instead of eth3 and eth4 i used eth0.1 and eth1.1 ) the subinterface would
> > be named : eth0:1
> >
> > i tried to use eth0:eth1 ( internal:external ) but this will cause to drop
> > connection with the internet . and if i  used this i also would get only
> > traffic destined to the internet
> >
> > On Fri, May 8, 2015 at 7:07 PM, Al Lewis (allewi) <allewi at ...589...>
> > wrote:
> >
> >>  I think your issue is caused by attempting to use the main interfaces
> >> to talk through the subinterfaces.
> >>
> >>
> >>
> >> Are you able pass traffic with just ???eth0:eth1????
> >>
> >>
> >>
> >> Have you tried not using the main interfaces and creating two
> >> subinterfaces on each side?
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> Albert Lewis
> >>
> >> QA Software Engineer
> >>
> >> SOURCE*fire*, Inc. now part of *Cisco*
> >>
> >> 9780 Patuxent Woods Drive
> >> Columbia, MD 21046
> >>
> >> Phone: (office) 443.430.7112
> >>
> >> Email: allewi at ...589...
> >>
> >>
> >>
> >> *From:* Abdallah Jabbour [mailto:abdjbr at ...11827...]
> >> *Sent:* Friday, May 08, 2015 12:16 PM
> >> *To:* snort-users at lists.sourceforge.net
> >> *Subject:* [Snort-users] snort inline mode does not capture traffic
> >> destined to other machine on the internal network
> >>
> >>
> >>
> >> Hello ,
> >>
> >> i have setup snort in inline mode and tested it by adding  a rule in
> >> /etc/snort/rules/local.rules :
> >> alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)
> >>
> >>   i am running snort as a service and i added two pairs of network
> >> interfaces to to /etc/sysconfig/snort
> >> INTERFACE="eth0:eth0.1::eth1:eth1.1"
> >>
> >> where eth0.1 and eth1.1 does not have IP address and have enabled
> >> promiscuous mode for all network interfaces
> >>
> >> but in /var/log/snort/alert i  get alert from previously defined rule
> >> only when i ping an external host or when i ping one of the interfaces of
> >> the snort machine
> >>
> >> i can confirm than snort is running in inline mode and acquiring network
> >> traffic from all network interfaces from /var/log/messages
> >>
> >>  afpacket DAQ configured to inline.
> >>  Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
> >>  Initializing daemon mode
> >>  Daemon initialized, signaled parent pid: 1726
> >>  Reload thread starting...
> >>  Reload thread started, thread 0x7f2f0055c700 (1746)
> >>  Checking PID path...
> >> PID path stat checked out ok, PID path set to /var/run/
> >>  Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"
> >>
> >>         --== Initialization Complete ==--
> >>  Commencing packet processing (pid=1745)
> >>  Decoding Ethernet
> >>  device eth1.1 entered promiscuous mode
> >>  device eth1 entered promiscuous mode
> >>  device eth0.1 entered promiscuous mode
> >>  device eth0 entered promiscuous mode
> >>
> >> i cannot get any traffic local hosts pinging each other ( on the internal
> >> network ) .
> >>
> >> please assist
> >>
> >
> >

> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


-- 
Gregory W. MacPherson, CISSP, Security+, ITIL, Etc.
Founder, IT Security Expert, Global Network Security Exploitation Specialist
http://www.constellationsecurity.com/greg/
wickr: statesman (whitelist mode)
People are bad, therefore we need big government, made up of...PEOPLE!!!




More information about the Snort-users mailing list