[Snort-users] afpacket and inline mode

James Lay jlay at ...13475...
Sat Jan 28 18:23:43 EST 2017


Ok cool...you've got it set up right.  Now...how about the config, any
drop rules, and any output from the command below?
On Sat, 2017-01-28 at 14:50 -0600, Michael David wrote:
> It's a third physical device, rpi. Using built in eth0, eth1 via
> usb/rj45 adapter and wlan0 for management.
> 
> On Sat, Jan 28, 2017 at 2:10 PM, James Lay <jlay at ...13475...>
> wrote:
> > On Sat, 2017-01-28 at 11:47 -0600, Michael David wrote:
> > > I am trying to configure snort to run in inline mode between a
> > > cable modem and router.  My config tests fine and will run.  When
> > > snort is running all traffic is blocked in and outbound, but the
> > > log grows.  When I terminate snort I can view and log all in and
> > > outbound traffic and Internet service returns to the LAN.
> > > 
> > > I don't understand why this is happening.  Shouldn't inline mode
> > > let all traffic pass and let the rules allow, block and drop?
> > > 
> > > Here are some of my configurations and setup for the ports.
> > > 
> > > snort -A console -c /etc/snort/snort.conf -Q -i eth0:eth1 --daq
> > > afpacket --daq-mode inline
> > > 
> > > ifconfig eth0 0.0.0.0
> > > ip link set eth0 multicast off
> > > ip link set eth0 promisc on
> > > ethtool -s eth0 speed 100 duplex full
> > > for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth0 $i off;
> > > done
> > > 
> > > ifconfig eth1 0.0.0.0
> > > ip link set eth1 multicast off
> > > ip link set eth1 promisc on
> > > ethtool -s eth1 speed 100 duplex full
> > > for i in rx tx sg tso ufo gso gro lro; do ethtool -K eth1 $i off;
> > > done
> > > ---------------------------------------------------------------
> > > ---------------
> > > 
> > Is this a third physical device like say... *cable modem* <->
> > *snort device* <-> *router* or do you plan on running inline on the
> > router itself?
> > 
> > James
> > 
> > -----------------------------------------------------------------
> > -------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > 
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170128/53841d12/attachment.html>


More information about the Snort-users mailing list