[Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Abdallah Jabbour abdjbr at ...11827...
Sun May 10 05:28:56 EDT 2015


Hello Gregory ,


yes the subinterface should be defined with period , but as i mentioned
when doing : INTEFACE="eth0:eth0:1" snort tries to bridge eth0 with eth0
and does not recognize ":"  and give an error :

FATAL ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize:
 Couldn't create the bridge between eth0 and eth0!
so i used main interface instead of subinterface .

On Sat, May 9, 2015 at 6:30 PM, Gregory W. MacPherson <
greg at ...15873...> wrote:

> Aren't subinterfaces supposed to be defined with a period (.) rather
> than with a colon (:)?
>
> On or about 2015.05.08 20:27:32 +0200, Abdallah Jabbour (abdjbr at ...11827...)
> said:
>
> > also if i add a subinterface andin /etc/sysconfig/snort  i amend the
> > INTERFACE directive :
> > INTERFACE="eth0:eth0:1"
> >
> > and start snort will through an error :
> >
> > FATAL ERROR: Can't initialize DAQ afpacket (-1) -
> afpacket_daq_initialize:
> > Couldn't create the bridge between eth0 and eth0!
> >
> > it seems that snort does not parse the subinterface in the INTERFACES
> > directive
> >
> > On Fri, May 8, 2015 at 8:01 PM, Abdallah Jabbour <abdjbr at ...11827...>
> wrote:
> >
> > > there is no subinterface , all interfaces are main two with IP { eth0 (
> > > internal interface ) eth1 ( external interface ) } and the others
> without
> > > IP ( eth0.1 and eth1.1 ) ,  i just manipulated the names of the
> interface
> > > (instead of eth3 and eth4 i used eth0.1 and eth1.1 ) the subinterface
> would
> > > be named : eth0:1
> > >
> > > i tried to use eth0:eth1 ( internal:external ) but this will cause to
> drop
> > > connection with the internet . and if i  used this i also would get
> only
> > > traffic destined to the internet
> > >
> > > On Fri, May 8, 2015 at 7:07 PM, Al Lewis (allewi) <allewi at ...589...>
> > > wrote:
> > >
> > >>  I think your issue is caused by attempting to use the main interfaces
> > >> to talk through the subinterfaces.
> > >>
> > >>
> > >>
> > >> Are you able pass traffic with just ???eth0:eth1????
> > >>
> > >>
> > >>
> > >> Have you tried not using the main interfaces and creating two
> > >> subinterfaces on each side?
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> Albert Lewis
> > >>
> > >> QA Software Engineer
> > >>
> > >> SOURCE*fire*, Inc. now part of *Cisco*
> > >>
> > >> 9780 Patuxent Woods Drive
> > >> Columbia, MD 21046
> > >>
> > >> Phone: (office) 443.430.7112
> > >>
> > >> Email: allewi at ...589...
> > >>
> > >>
> > >>
> > >> *From:* Abdallah Jabbour [mailto:abdjbr at ...11827...]
> > >> *Sent:* Friday, May 08, 2015 12:16 PM
> > >> *To:* snort-users at lists.sourceforge.net
> > >> *Subject:* [Snort-users] snort inline mode does not capture traffic
> > >> destined to other machine on the internal network
> > >>
> > >>
> > >>
> > >> Hello ,
> > >>
> > >> i have setup snort in inline mode and tested it by adding  a rule in
> > >> /etc/snort/rules/local.rules :
> > >> alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)
> > >>
> > >>   i am running snort as a service and i added two pairs of network
> > >> interfaces to to /etc/sysconfig/snort
> > >> INTERFACE="eth0:eth0.1::eth1:eth1.1"
> > >>
> > >> where eth0.1 and eth1.1 does not have IP address and have enabled
> > >> promiscuous mode for all network interfaces
> > >>
> > >> but in /var/log/snort/alert i  get alert from previously defined rule
> > >> only when i ping an external host or when i ping one of the
> interfaces of
> > >> the snort machine
> > >>
> > >> i can confirm than snort is running in inline mode and acquiring
> network
> > >> traffic from all network interfaces from /var/log/messages
> > >>
> > >>  afpacket DAQ configured to inline.
> > >>  Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
> > >>  Initializing daemon mode
> > >>  Daemon initialized, signaled parent pid: 1726
> > >>  Reload thread starting...
> > >>  Reload thread started, thread 0x7f2f0055c700 (1746)
> > >>  Checking PID path...
> > >> PID path stat checked out ok, PID path set to /var/run/
> > >>  Writing PID "1745" to file
> "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"
> > >>
> > >>         --== Initialization Complete ==--
> > >>  Commencing packet processing (pid=1745)
> > >>  Decoding Ethernet
> > >>  device eth1.1 entered promiscuous mode
> > >>  device eth1 entered promiscuous mode
> > >>  device eth0.1 entered promiscuous mode
> > >>  device eth0 entered promiscuous mode
> > >>
> > >> i cannot get any traffic local hosts pinging each other ( on the
> internal
> > >> network ) .
> > >>
> > >> please assist
> > >>
> > >
> > >
>
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> --
> Gregory W. MacPherson, CISSP, Security+, ITIL, Etc.
> Founder, IT Security Expert, Global Network Security Exploitation
> Specialist
> http://www.constellationsecurity.com/greg/
> wickr: statesman (whitelist mode)
> People are bad, therefore we need big government, made up of...PEOPLE!!!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150510/37253ed2/attachment.html>


More information about the Snort-users mailing list