Snort mailing list archives
Fwd: Snort in Inline Mode on CentOS 6.3
From: "Okeowo, Ayo" <gadmin () cyberdrobe com>
Date: Sun, 10 Feb 2013 12:12:15 -0500
---------- Forwarded message ---------- From: Okeowo, Ayo <gadmin () cyberdrobe com> Date: Sun, Feb 10, 2013 at 12:11 PM Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3 To: Y M <snort () outlook com> Below is what I have. {Q1::Answer} my snort command is:- snort -c /etc/snort/snort.conf --daq afpacket -i eth0:eth2 -Q -A console {Q2::Answer} I'm using DAQ mode: --daq afpacket {Q3::Answer - drop rule reside in the local.rules} drop tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"Block Web Traffic from Outside"; classtype:web-application-attack; metadata:service http; flow:established,to_ server; sid:1000008; rev:2;) {Q4::Answer} Verdicts: Allow: 8115288 ( 98.956%) Block: 640 ( 0.008%) Replace: 252 ( 0.003%) Whitelist: 0 ( 0.000%) Blacklist: 37 ( 0.000%) Ignore: 0 ( 0.000%) On Sun, Feb 10, 2013 at 11:54 AM, Y M <snort () outlook com> wrote:
a. How are you running Snort? In other words, what is the command you are using to run Snort? b. Which DAQ are you using? c. How is your drop rule setup? d. When you stop Snort, what do the verdict statistics show? Please when you send/reply do so for the whole group as there are awesome people here that are more experienced than I am, and other people benefit as well. Thanks. YM ------------------------------ From: Okeowo, Ayo <gadmin () cyberdrobe com> Sent: 2/10/2013 7:38 PM To: Y M <snort () outlook com> Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3 YM, Sorry I'm just getting back to you after I posted my question. I've been able to add additional 1 more interface and the 2 interfaces are now in promiscuous mode. I've confirmed there are packets traversing the interfaces but my rule is not dropping any traffic request to let's say port 80 and 443. What could I be possibly be missing? Still looking through though to see if I find anything that could be causing the issue. Your response will be much appreciated. On Wed, Feb 6, 2013 at 10:56 AM, Y M <snort () outlook com> wrote: It will be largely dependant on the output plugin you are using. In case of Snorby, although I don't use it, will eventually read from a database; MySQL. In this case, it is a practice to let Snort output to unified2, and let barnyard2 parse unfied2 logs into the database, from which Snorby will read data. Hope you get your setup done. YM ------------------------------ From: Okeowo, Ayo <gadmin () cyberdrobe com> Sent: 2/6/2013 6:43 PM To: Y M <snort () outlook com> Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3 YM, Thanks for the response. I would have never have thought of increasing my interfaces (virtual interfaces) to 3 to make it work. I will try that when I get home and let you know. So this will allow my drop and alert rules to pop-up on Snorby? Once it works I will then go ahead and configure preprocessor etc. And I also hope to combine my command line with --alert-before-pass switch. On Wed, Feb 6, 2013 at 10:28 AM, Y M <snort () outlook com> wrote: You will need 3 interfaces. Two will be in transparent mode and the third will be used for management. When you run Snort in inline mode, you would use, for example: -i eth0:eth1, or the bridge if you will be using a bridge and eth3 for management. YM ------------------------------ From: Okeowo, Ayo <gadmin () cyberdrobe com> Sent: 2/6/2013 6:22 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort in Inline Mode on CentOS 6.3 Hello Folks, Has anyone successfully setup Snort 2.9.4 on CentOS 6.3 with functioning IPS(Inline Mode) using 2 interfaces (1 for sniffing traffic and 2nd for management)? I'm having a few issues, although I haven't sat down to address it yet due to my day job sucking my time. The first issue is, if I use 1 interface and put Snort to Inline Mode, my drop rules don't work. Second, if I use 2 interfaces, both Alert and Drop rules cease to work and I get nothing on Snorby. Any insight to this issue will be appreciated. Like I said I haven't sat down to troubleshoot this issue but your response will help. Thanks. Ayo
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort in Inline Mode on CentOS 6.3 Okeowo, Ayo (Feb 06)
- <Possible follow-ups>
- Re: Snort in Inline Mode on CentOS 6.3 Y M (Feb 06)
- Re: Snort in Inline Mode on CentOS 6.3 Y M (Feb 06)
- Re: Snort in Inline Mode on CentOS 6.3 Y M (Feb 10)
- Message not available
- Fwd: Snort in Inline Mode on CentOS 6.3 Okeowo, Ayo (Feb 10)
- Message not available
- Re: Snort in Inline Mode on CentOS 6.3 Y M (Feb 10)
- Re: Snort in Inline Mode on CentOS 6.3 Okeowo, Ayo (Feb 10)
- Re: Snort in Inline Mode on CentOS 6.3 Y M (Feb 10)
- Re: Snort in Inline Mode on CentOS 6.3 Okeowo, Ayo (Feb 10)
- Re: Snort in Inline Mode on CentOS 6.3 Okeowo, Ayo (Feb 10)