Re: snort inline mode does not capture traffic destined to other machine on the internal network

["Gregory W. MacPherson" <greg () constellationsecurity com>]

Aren't subinterfaces supposed to be defined with a period (.) rather
than with a colon (:)?

On or about 2015.05.08 20:27:32 +0200, Abdallah Jabbour (abdjbr () gmail com) said:

> also if i add a subinterface andin /etc/sysconfig/snort  i amend the
> INTERFACE directive :
> INTERFACE="eth0:eth0:1"
>
> and start snort will through an error :
>
> FATAL ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize:
> Couldn't create the bridge between eth0 and eth0!
>
> it seems that snort does not parse the subinterface in the INTERFACES
> directive
>
> On Fri, May 8, 2015 at 8:01 PM, Abdallah Jabbour <abdjbr () gmail com> wrote:
>
> > there is no subinterface , all interfaces are main two with IP { eth0 (
> > internal interface ) eth1 ( external interface ) } and the others without
> > IP ( eth0.1 and eth1.1 ) ,  i just manipulated the names of the interface
> > (instead of eth3 and eth4 i used eth0.1 and eth1.1 ) the subinterface would
> > be named : eth0:1
> >
> > i tried to use eth0:eth1 ( internal:external ) but this will cause to drop
> > connection with the internet . and if i  used this i also would get only
> > traffic destined to the internet
> >
> > On Fri, May 8, 2015 at 7:07 PM, Al Lewis (allewi) <allewi () cisco com>
> > wrote:
> >
> > >  I think your issue is caused by attempting to use the main interfaces
> > > to talk through the subinterfaces.
> > >
> > >
> > >
> > > Are you able pass traffic with just ???eth0:eth1????
> > >
> > >
> > >
> > > Have you tried not using the main interfaces and creating two
> > > subinterfaces on each side?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Albert Lewis
> > >
> > > QA Software Engineer
> > >
> > > SOURCE*fire*, Inc. now part of *Cisco*
> > >
> > > 9780 Patuxent Woods Drive
> > > Columbia, MD 21046
> > >
> > > Phone: (office) 443.430.7112
> > >
> > > Email: allewi () cisco com
> > >
> > >
> > >
> > > *From:* Abdallah Jabbour [mailto:abdjbr () gmail com]
> > > *Sent:* Friday, May 08, 2015 12:16 PM
> > > *To:* snort-users () lists sourceforge net
> > > *Subject:* [Snort-users] snort inline mode does not capture traffic
> > > destined to other machine on the internal network
> > >
> > >
> > >
> > > Hello ,
> > >
> > > i have setup snort in inline mode and tested it by adding  a rule in
> > > /etc/snort/rules/local.rules :
> > > alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)
> > >
> > >   i am running snort as a service and i added two pairs of network
> > > interfaces to to /etc/sysconfig/snort
> > > INTERFACE="eth0:eth0.1::eth1:eth1.1"
> > >
> > > where eth0.1 and eth1.1 does not have IP address and have enabled
> > > promiscuous mode for all network interfaces
> > >
> > > but in /var/log/snort/alert i  get alert from previously defined rule
> > > only when i ping an external host or when i ping one of the interfaces of
> > > the snort machine
> > >
> > > i can confirm than snort is running in inline mode and acquiring network
> > > traffic from all network interfaces from /var/log/messages
> > >
> > >  afpacket DAQ configured to inline.
> > >  Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
> > >  Initializing daemon mode
> > >  Daemon initialized, signaled parent pid: 1726
> > >  Reload thread starting...
> > >  Reload thread started, thread 0x7f2f0055c700 (1746)
> > >  Checking PID path...
> > > PID path stat checked out ok, PID path set to /var/run/
> > >  Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"
> > >
> > >         --== Initialization Complete ==--
> > >  Commencing packet processing (pid=1745)
> > >  Decoding Ethernet
> > >  device eth1.1 entered promiscuous mode
> > >  device eth1 entered promiscuous mode
> > >  device eth0.1 entered promiscuous mode
> > >  device eth0 entered promiscuous mode
> > >
> > > i cannot get any traffic local hosts pinging each other ( on the internal
> > > network ) .
> > >
> > > please assist

> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


-- 
Gregory W. MacPherson, CISSP, Security+, ITIL, Etc.
Founder, IT Security Expert, Global Network Security Exploitation Specialist
http://www.constellationsecurity.com/greg/
wickr: statesman (whitelist mode)
People are bad, therefore we need big government, made up of...PEOPLE!!!

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!