Snort mailing list archives

Re: snort inline

From: Tony Robinson <deusexmachina667 () gmail com>
Date: Sat, 10 Nov 2012 16:41:17 -0500

Mr. Salehi,

I'm not certain this is your problem, but I ran into a similar problem
while testing a snort inline installation on my ESXi testbed. I was trying
to do an inline test with snort between two vswitches and ran into problems
consistent with what you are seeing. I had to allow promiscuous mode on the
vswitches the inline interfaces were connected to, or it wouldn't work.

I would recommend the following:
1. If you are on an ESX/ESXi server, ensure that the vswitch security
settings allow promiscuous mode -- for BOTH switches your sensor is
connected to.
2. Verify that both interfaces have promiscuous mode enabled (e.g. does
ifconfig -a report PROMISC for both eth1 and eth0?)

On Sat, Nov 10, 2012 at 7:21 AM, amin Salehi <seyedamin_salehi () yahoo com>wrote:

hi.i enable forwarding on a snort sensor host and run following command:
"snort -q -c /etc/snort/snort.conf -Q --daq afpacket -i eth0:eth1 -A
console"
i write a rule in local.rules file: "drop icmp 10.10.9.2 any -> 10.10.8.2
any (msg:"Ping dropped";sid: 1000008;).when i run
"ping 10.10.8.2" on the 10.10.9.2 host the resault is: the attach file
with name 1

my sensor screen is: the attach file with name 2


whats the problem?


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

snort inline amin Salehi (Nov 07)
- <Possible follow-ups>
- snort inline amin Salehi (Nov 07)
  - Re: snort inline waldo kitty (Nov 08)
- snort inline amin Salehi (Nov 10)
  - Re: snort inline Tony Robinson (Nov 10)
    - Re: snort inline amin Salehi (Nov 11)
    - Re: snort inline Michael Altizer (Nov 11)
    - Re: snort inline Michael Altizer (Nov 11)
    - Re: snort inline JJ Cummings (Nov 12)
- snort inline amin Salehi (Nov 10)
- snort inline amin Salehi (Nov 13)