[Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network

Abdallah Jabbour abdjbr at ...11827...
Sun May 10 10:59:35 EDT 2015


sorry i get confused , NO subinterface should be defined with " : "
http://www.vincentverhagen.nl/2007/12/08/how-to-create-an-ethernet-subinterface-on-rhel-5-centos-5/

On Sun, May 10, 2015 at 11:28 AM, Abdallah Jabbour <abdjbr at ...11827...> wrote:

> Hello Gregory ,
>
>
> yes the subinterface should be defined with period , but as i mentioned
> when doing : INTEFACE="eth0:eth0:1" snort tries to bridge eth0 with eth0
> and does not recognize ":"  and give an error :
>
> FATAL ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize:
>  Couldn't create the bridge between eth0 and eth0!
> so i used main interface instead of subinterface .
>
> On Sat, May 9, 2015 at 6:30 PM, Gregory W. MacPherson <
> greg at ...15873...> wrote:
>
>> Aren't subinterfaces supposed to be defined with a period (.) rather
>> than with a colon (:)?
>>
>> On or about 2015.05.08 20:27:32 +0200, Abdallah Jabbour (abdjbr at ...11827...)
>> said:
>>
>> > also if i add a subinterface andin /etc/sysconfig/snort  i amend the
>> > INTERFACE directive :
>> > INTERFACE="eth0:eth0:1"
>> >
>> > and start snort will through an error :
>> >
>> > FATAL ERROR: Can't initialize DAQ afpacket (-1) -
>> afpacket_daq_initialize:
>> > Couldn't create the bridge between eth0 and eth0!
>> >
>> > it seems that snort does not parse the subinterface in the INTERFACES
>> > directive
>> >
>> > On Fri, May 8, 2015 at 8:01 PM, Abdallah Jabbour <abdjbr at ...11827...>
>> wrote:
>> >
>> > > there is no subinterface , all interfaces are main two with IP { eth0
>> (
>> > > internal interface ) eth1 ( external interface ) } and the others
>> without
>> > > IP ( eth0.1 and eth1.1 ) ,  i just manipulated the names of the
>> interface
>> > > (instead of eth3 and eth4 i used eth0.1 and eth1.1 ) the subinterface
>> would
>> > > be named : eth0:1
>> > >
>> > > i tried to use eth0:eth1 ( internal:external ) but this will cause to
>> drop
>> > > connection with the internet . and if i  used this i also would get
>> only
>> > > traffic destined to the internet
>> > >
>> > > On Fri, May 8, 2015 at 7:07 PM, Al Lewis (allewi) <allewi at ...589...>
>> > > wrote:
>> > >
>> > >>  I think your issue is caused by attempting to use the main
>> interfaces
>> > >> to talk through the subinterfaces.
>> > >>
>> > >>
>> > >>
>> > >> Are you able pass traffic with just ???eth0:eth1????
>> > >>
>> > >>
>> > >>
>> > >> Have you tried not using the main interfaces and creating two
>> > >> subinterfaces on each side?
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> Albert Lewis
>> > >>
>> > >> QA Software Engineer
>> > >>
>> > >> SOURCE*fire*, Inc. now part of *Cisco*
>> > >>
>> > >> 9780 Patuxent Woods Drive
>> > >> Columbia, MD 21046
>> > >>
>> > >> Phone: (office) 443.430.7112
>> > >>
>> > >> Email: allewi at ...589...
>> > >>
>> > >>
>> > >>
>> > >> *From:* Abdallah Jabbour [mailto:abdjbr at ...11827...]
>> > >> *Sent:* Friday, May 08, 2015 12:16 PM
>> > >> *To:* snort-users at lists.sourceforge.net
>> > >> *Subject:* [Snort-users] snort inline mode does not capture traffic
>> > >> destined to other machine on the internal network
>> > >>
>> > >>
>> > >>
>> > >> Hello ,
>> > >>
>> > >> i have setup snort in inline mode and tested it by adding  a rule in
>> > >> /etc/snort/rules/local.rules :
>> > >> alert icmp any any -> any any (msg:"Ping Testing";
>> sid:1000003;rev:1;)
>> > >>
>> > >>   i am running snort as a service and i added two pairs of network
>> > >> interfaces to to /etc/sysconfig/snort
>> > >> INTERFACE="eth0:eth0.1::eth1:eth1.1"
>> > >>
>> > >> where eth0.1 and eth1.1 does not have IP address and have enabled
>> > >> promiscuous mode for all network interfaces
>> > >>
>> > >> but in /var/log/snort/alert i  get alert from previously defined rule
>> > >> only when i ping an external host or when i ping one of the
>> interfaces of
>> > >> the snort machine
>> > >>
>> > >> i can confirm than snort is running in inline mode and acquiring
>> network
>> > >> traffic from all network interfaces from /var/log/messages
>> > >>
>> > >>  afpacket DAQ configured to inline.
>> > >>  Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
>> > >>  Initializing daemon mode
>> > >>  Daemon initialized, signaled parent pid: 1726
>> > >>  Reload thread starting...
>> > >>  Reload thread started, thread 0x7f2f0055c700 (1746)
>> > >>  Checking PID path...
>> > >> PID path stat checked out ok, PID path set to /var/run/
>> > >>  Writing PID "1745" to file
>> "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"
>> > >>
>> > >>         --== Initialization Complete ==--
>> > >>  Commencing packet processing (pid=1745)
>> > >>  Decoding Ethernet
>> > >>  device eth1.1 entered promiscuous mode
>> > >>  device eth1 entered promiscuous mode
>> > >>  device eth0.1 entered promiscuous mode
>> > >>  device eth0 entered promiscuous mode
>> > >>
>> > >> i cannot get any traffic local hosts pinging each other ( on the
>> internal
>> > >> network ) .
>> > >>
>> > >> please assist
>> > >>
>> > >
>> > >
>>
>> >
>> ------------------------------------------------------------------------------
>> > One dashboard for servers and applications across Physical-Virtual-Cloud
>> > Widest out-of-the-box monitoring support with 50+ applications
>> > Performance metrics, stats and reports that give you Actionable Insights
>> > Deep dive visibility with transaction tracing using APM Insight.
>> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>> --
>> Gregory W. MacPherson, CISSP, Security+, ITIL, Etc.
>> Founder, IT Security Expert, Global Network Security Exploitation
>> Specialist
>> http://www.constellationsecurity.com/greg/
>> wickr: statesman (whitelist mode)
>> People are bad, therefore we need big government, made up of...PEOPLE!!!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150510/34a36755/attachment.html>


More information about the Snort-users mailing list