[Snort-users] Inline Installation Problem

James Lay jlay at ...13475...
Fri Jan 20 10:26:35 EST 2017

On 2017-01-20 08:17, Michael David wrote:
> Hello,
> I have setup a Raspberry Pi in inline mode.  I have placed it in
> between the cable modem and router with eth0 and eth1 bridged to
> bridge0, all in promiscuous mode and no IPs.  I use the built in
> wireless for management.  Everything seems to function, pulledpork is
> working, logs and alerts are generated. However all inbound and
> outbound access is blocked when running.  Here are some of the
> settings I have used.  I am confused about the daq mode and types.
> Using 'snort -i bridge0 -A console' allows viewing of the traffic and
> Internet access is not blocked.
> #set int to promisc
> ip link set eth0 multicast off
> ip link set eth0 promisc on
> ip link set eth1 multicast off
> ip link set eth1 promisc on
> ip link set bridge0 multicast off
> ip link set bridge0 promisc on
> #set int to bridge
> ifconfig eth0
> ifconfig eth1
> ifconfig bridge 0 0.0.0
> brctl addbr bridge0
> brctl addif bridge0 eth0
> brctl addif bridge0 eth1
> ifconfig bridge0 up
> #this is what I am using to start anort
> snort -A console -c /etc/snort/snort.conf -Q -i eth0:eth1 --daq
> afpacket --daq-mode inline

Snort creates it's own "bridge", so you won't be using brctl.  Ideally 
you have three interfaces, one for management, the other for in/out.  
Otherwise NFQ is your next best bet if you only have two interfaces and 
want to act as a transparent bridge.


More information about the Snort-users mailing list