No subject

Thu Nov 23 16:36:19 EST 2017

ng the box as well as do the IPS work.

P.S.: Please respond to the list and not only to myself. Its a mutual benef=

Date: Sun, 24 Aug 2014 14:00:20 +0200
Subject: Re: [Snort-users] Snort inline mode problem

From: demonsdebason at ...11827...
To: snort at ...15979...

The same behavior when running with 'eth1:eth2'.

Yeah, the interfaces are in promiscuous, silly me.
Any ideas?

On Sun, Aug 24, 2014 at 7:34 AM, Y M <snort at ...15979...> wrote:

Date: Sun, 24 Aug 2014 05:02:13 +0200
From: demonsdebason at ...11827...
To: snort-users at

Subject: [Snort-users] Snort inline mode problem

Hi all.
I've been working on my Snort IPS for some time now.=20
Noticed that 'drop' rules are working half-way, I have set the test rule to=
 drop ICMP coming to the sensor from local machine:

drop icmp any -> any (msg: "Test rule"; sid:110011;)

Alerts get logged and can view them via BASE, but when I ping from .2 to .1=
 I get this:
PING ( 56(84) bytes of data.

64 bytes from : icmp_seq=3D1 ttl=3D64 time=3D0.216 ms
>From icmp_seq=3D1 Destination Port Unreachable

64 bytes from : icmp_seq=3D2 ttl=3D64 time=3D0.269 ms

>From icmp_seq=3D2 Destination Port Unreachable
64 bytes from : icmp_seq=3D3 ttl=3D64 time=3D0.221 ms

So some of them are getting 'blocked'.

When I shutdown Snort I's all fine:
64 bytes from : icmp_seq=3D8 ttl=3D64 time=3D0.226 ms

64 bytes from
 : icmp_seq=3D9 ttl=3D64 time=3D0.201 ms

64 bytes from : icmp_seq=3D10 ttl=3D64 time=3D0.253 ms
64 bytes from

 : icmp_seq=3D11 ttl=3D64 time=3D0.204 ms

Here is my info:

   ,,_     -*> Snort! <*-
  o"  )~   Version GRE (Build 77)=20
   ''''    By Martin Roesch & The Snort Team:

           Copyright (C) 2014 Cisco and/or its affiliates. All rights reser=
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05

           Using ZLIB version: 1.2.3
 41104  4.6  2.0 1675528 1342832 ?     Ssl  04:48   0:00 /usr/sbin/snort
 -D -i eth1::eth2 -u snort -g snort -c /etc/snort/snort.conf -Q=20
--daq-mode inline -k none

# Looks like you have double colons "eth1::eth2", as opposed to one colon "=
eth1:eth2". Not sure if the double colons are causing the partial drops.

snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv

afpacket(v5): live inline multi unpriv

config policy_mode:inline
config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline

config daq_var: buffer_size_mb=3D1024

I've tried dropping all the ICMPs in the iptables, results are as expected,=
 but Snort still logs the alerts.
Do you have any idea what is the issue here?

# Does Snort log the requests or replies or both? I would image if the NIC =
is promiscuous, then it would still see the requests.=20

Aut viam inveniam aut faciam

Slashdot TV.=20=20
Video for Nerds.  Stuff that matters.
Snort-users mailing list
Snort-users at
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit to stay current on all the latest Snort =

Aut viam inveniam aut faciam


Aut viam inveniam aut faciam


Aut viam inveniam aut faciam


Aut viam inveniam aut faciam


Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

.hmmessage P
font-size: 12pt;
<body class=3D'hmmessage'><div dir=3D'ltr'><div dir=3D"ltr"><div><div><span=
 style=3D"font-size: 12pt;">>As already posted I run it with: </spa=
n></div>>/usr/sbin/snort -D -i eth1:eth2 -u snort -g snort -c /etc/snort=
/snort.conf -l /var/log/snort -Q --daq-mode inline -k none<br>
<br></div>You can drop "--daq-mode inline" from your command since you alre=
ady have the mode defined in snort.conf. Does the box running Snort do anyt=
hing else other than just running Snort?<br></div><div dir=3D"ltr"><br></di=
v><div dir=3D"ltr">Run tcpdump to capture the traffic while running Snort a=
nd test again. See what information the capture might provide. It's a craps=
hoot but you may also want to test on another distro, we have one specific =
case where things didn't work as expected on one distro while it worked fin=
e on another.</div><div dir=3D"ltr"><br></div><div dir=3D"ltr">YM</div><div=
 class=3D"ecxgmail_extra"><br><br><div class=3D"ecxgmail_quote">On Mon, Aug=
 25, 2014 at 7:18 PM, Y M <span dir=3D"ltr"><<a href=3D"mailto:snort at ...979...=
15979..." target=3D"_blank">snort at ...15979...</a>></span> wrote:<br>
<blockquote class=3D"ecxgmail_quote" style=3D"border-left:1px #ccc solid;pa=

<div><div dir=3D"ltr">Please post your snort.conf, sanitizing any private i=
nfo. Also the command you use to run Snort.<div><br></div><div>YM<br><br><d=
iv><hr>Date: Sun, 24 Aug 2014 19:58:22 +0200<div><div class=3D"h5"><br>Subj=
ect: Re: [Snort-users] Snort inline mode problem<br>
From: <a href=3D"mailto:demonsdebason at ...11827..." target=3D"_blank">demons=
debason at ...11827...</a><br>To: <a href=3D"mailto:snort at ...15979..." target=
=3D"_blank">snort at ...15979...</a><br>CC: <a href=3D"mailto:snort-users at ...1753...=" target=3D"_blank">snort-users at</a><=
<br><div dir=3D"ltr"><div><div><div><div><div>I have already tried with thi=
s rule:<br>drop icmp any -> any (msg: "NEW TEST"; si=
d:10666;)<br><br></div>Also modified 384 ICMP rule:<br>drop icmp $EXTERNAL_=
NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; me=
tadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)<br>

<br></div>Set HOME_NET to any, restarted Snort and got the same crap:<br>PI=
NG ( 56(84) bytes of data.<br>From icmp_seq=3D1 Des=
tination Port Unreachable<br>64 bytes from <a href=3D"" targe=
t=3D"_blank"></a>: icmp_seq=3D1 ttl=3D46 time=3D40.6 ms<br>

>From icmp_seq=3D2 Destination Port Unreachable<br>From icm=
p_seq=3D3 Destination Port Unreachable<br>64 bytes from <a href=3D"http://8=
.8.8.8" target=3D"_blank"></a>: icmp_seq=3D3 ttl=3D46 time=3D40.7 ms=
</div>I've set additional rule:<br>
drop icmp any any -> any any (msg: "NEW TEST"; sid:10666;)<br><br></div>=
<div>...and am getting:<br>PING ( 56(84) bytes of data.<br>=

More information about the Snort-users mailing list