[Snort-users] afpacket and inline mode

Michael David michael.d.torino at ...11827...
Sat Jan 28 12:47:45 EST 2017


I am trying to configure snort to run in inline mode between a cable modem
and router.  My config tests fine and will run.  When snort is running all
traffic is blocked in and outbound, but the log grows.  When I terminate
snort I can view and log all in and outbound traffic and Internet service
returns to the LAN.

I don't understand why this is happening.  Shouldn't inline mode let all
traffic pass and let the rules allow, block and drop?

Here are some of my configurations and setup for the ports.

snort -A console -c /etc/snort/snort.conf -Q -i eth0:eth1 --daq afpacket
--daq-mode inline

ifconfig eth0 0.0.0.0
ip link set eth0 multicast off
ip link set eth0 promisc on
ethtool -s eth0 speed 100 duplex full
for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off; done

ifconfig eth1 0.0.0.0
ip link set eth1 multicast off
ip link set eth1 promisc on
ethtool -s eth1 speed 100 duplex full
for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth1 $i off; done
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170128/6c3d36b2/attachment.html>


More information about the Snort-users mailing list