[Snort-users] afpacket and inline mode

James Lay jlay at ...13475...
Sat Jan 28 15:10:31 EST 2017


On Sat, 2017-01-28 at 11:47 -0600, Michael David wrote:
> I am trying to configure snort to run in inline mode between a cable
> modem and router.  My config tests fine and will run.  When snort is
> running all traffic is blocked in and outbound, but the log grows. 
> When I terminate snort I can view and log all in and outbound traffic
> and Internet service returns to the LAN.
> 
> I don't understand why this is happening.  Shouldn't inline mode let
> all traffic pass and let the rules allow, block and drop?
> 
> Here are some of my configurations and setup for the ports.
> 
> snort -A console -c /etc/snort/snort.conf -Q -i eth0:eth1 --daq
> afpacket --daq-mode inline
> 
> ifconfig eth0 0.0.0.0
> ip link set eth0 multicast off
> ip link set eth0 promisc on
> ethtool -s eth0 speed 100 duplex full
> for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off;
> done
> 
> ifconfig eth1 0.0.0.0
> ip link set eth1 multicast off
> ip link set eth1 promisc on
> ethtool -s eth1 speed 100 duplex full
> for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth1 $i off;
> done
> -------------------------------------------------------------------
> -----------
> 
Is this a third physical device like say... *cable modem* <-> *snort
device* <-> *router* or do you plan on running inline on the router
itself?
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170128/f44abefe/attachment.html>


More information about the Snort-users mailing list