Re: Snort-users Digest, Vol 108, Issue 2

[Abdallah Jabbour <abdjbr () gmail com>]

all the lab is on a KVM host with regular bridge ( bridge-utils on CentOS )
. it seems that whenever the snort service start it will bridge the
interfaces together causing the network connections to drop even if i
specify a non-ip interfaces :
INTERFACE=eth0.1:eth1.1
where eth0.1 and eth1.1 are another two virtual interfaces on the snort
guest with no ip address .

i don't have port mirroring in place ( that why i tried inline mode ) .

On Mon, May 4, 2015 at 12:34 AM, Abdallah Jabbour <abdjbr () gmail com> wrote:

> yes they do !
>
> On Sun, May 3, 2015 at 2:00 PM, <snort-users-request () lists sourceforge net
> > wrote:
>
> > Send Snort-users mailing list submissions to
> >         snort-users () lists sourceforge net
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         https://lists.sourceforge.net/lists/listinfo/snort-users
> > or, via email, send a message with subject or body 'help' to
> >         snort-users-request () lists sourceforge net
> >
> > You can reach the person managing the list at
> >         snort-users-owner () lists sourceforge net
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Snort-users digest..."
> >
> >
> > When responding, please don't respond with the entire Digest.  Please
> > trim your response.
> >
> > Today's Topics:
> >
> >    1. Re: snort inline mode in CentOS 6.6 (James Lay)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Sat, 02 May 2015 07:25:22 -0600
> > From: James Lay <jlay () slave-tothe-box net>
> > Subject: Re: [Snort-users] snort inline mode in CentOS 6.6
> > To: snort-users () lists sourceforge net
> > Message-ID: <1430573122.4447.1.camel@JamesiMac>
> > Content-Type: text/plain; charset="utf-8"
> >
> > On Sat, 2015-05-02 at 12:46 +0200, Abdallah Jabbour wrote:
> > > Hello ,
> > >
> > >
> > >
> > > i have installed snort on CentOS6.6 in a KVM Guest machine , it a
> > > router/ firewall using iptables , i followed the installation and
> > > configuration steps and tested the configuration file validity ( using
> > > -T command line arg )
> > >
> > >
> > >
> > > i enabled inline mode :
> > >
> > >
> > > in configuration file : i added and uncommented the following lines :
> > >
> > >  config policy_mode:inline
> > >
> > >  config daq: afpacket
> > >  config daq_dir: /usr/lib64/daq/
> > >  config daq_mode: inline
> > >  config daq_var: buffer_size_mb=128
> > >
> > >
> > > and also in /etc/sysconfig/snort
> > >
> > >
> > > INTERFACE=eth0:eth1
> > >
> > >
> > > and start the snort service
> > >
> > >
> > > the network connection ( locally and to the internet ) is dropped i
> > > cannot ping any host on the network .
> > >
> > >
> > > i added some rules to /etc/snort/rules/local.rules
> > >
> > > to see if alerting is working , i can see alerts being written
> > > to /var/log/snort/alert after i reboot the machine ( since there is no
> > > network connectivity ) .
> > >
> > >
> > > i know that inline mode will put the network interfaces eth0 and eth1
> > > in promiscuous mode and will bridge the network connection to get the
> > > network traffic . is there anything i am missing my setup  ?
> > ------------------------------------------------------------------------------
> > > One dashboard for servers and applications across Physical-Virtual-Cloud
> > > Widest out-of-the-box monitoring support with 50+ applications
> > > Performance metrics, stats and reports that give you Actionable Insights
> > > Deep dive visibility with transaction tracing using APM Insight.
> > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> >
> > To eth0 and eth1 have IP addresses assigned?
> >
> > James
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> >
> > ------------------------------
> >
> >
> > ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >
> > ------------------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >
> >
> > End of Snort-users Digest, Vol 108, Issue 2
> > *******************************************
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!