Snort mailing list archives
Re: snort inline mode does not capture traffic destined to other machine on the internal network
From: "Gregory W. MacPherson" <greg () constellationsecurity com>
Date: Sat, 9 May 2015 09:30:24 -0700
Aren't subinterfaces supposed to be defined with a period (.) rather than with a colon (:)? On or about 2015.05.08 20:27:32 +0200, Abdallah Jabbour (abdjbr () gmail com) said:
also if i add a subinterface andin /etc/sysconfig/snort i amend the INTERFACE directive : INTERFACE="eth0:eth0:1" and start snort will through an error : FATAL ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize: Couldn't create the bridge between eth0 and eth0! it seems that snort does not parse the subinterface in the INTERFACES directive On Fri, May 8, 2015 at 8:01 PM, Abdallah Jabbour <abdjbr () gmail com> wrote:there is no subinterface , all interfaces are main two with IP { eth0 ( internal interface ) eth1 ( external interface ) } and the others without IP ( eth0.1 and eth1.1 ) , i just manipulated the names of the interface (instead of eth3 and eth4 i used eth0.1 and eth1.1 ) the subinterface would be named : eth0:1 i tried to use eth0:eth1 ( internal:external ) but this will cause to drop connection with the internet . and if i used this i also would get only traffic destined to the internet On Fri, May 8, 2015 at 7:07 PM, Al Lewis (allewi) <allewi () cisco com> wrote:I think your issue is caused by attempting to use the main interfaces to talk through the subinterfaces. Are you able pass traffic with just ???eth0:eth1???? Have you tried not using the main interfaces and creating two subinterfaces on each side? Albert Lewis QA Software Engineer SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com *From:* Abdallah Jabbour [mailto:abdjbr () gmail com] *Sent:* Friday, May 08, 2015 12:16 PM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] snort inline mode does not capture traffic destined to other machine on the internal network Hello , i have setup snort in inline mode and tested it by adding a rule in /etc/snort/rules/local.rules : alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;) i am running snort as a service and i added two pairs of network interfaces to to /etc/sysconfig/snort INTERFACE="eth0:eth0.1::eth1:eth1.1" where eth0.1 and eth1.1 does not have IP address and have enabled promiscuous mode for all network interfaces but in /var/log/snort/alert i get alert from previously defined rule only when i ping an external host or when i ping one of the interfaces of the snort machine i can confirm than snort is running in inline mode and acquiring network traffic from all network interfaces from /var/log/messages afpacket DAQ configured to inline. Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1". Initializing daemon mode Daemon initialized, signaled parent pid: 1726 Reload thread starting... Reload thread started, thread 0x7f2f0055c700 (1746) Checking PID path... PID path stat checked out ok, PID path set to /var/run/ Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid" --== Initialization Complete ==-- Commencing packet processing (pid=1745) Decoding Ethernet device eth1.1 entered promiscuous mode device eth1 entered promiscuous mode device eth0.1 entered promiscuous mode device eth0 entered promiscuous mode i cannot get any traffic local hosts pinging each other ( on the internal network ) . please assist
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Gregory W. MacPherson, CISSP, Security+, ITIL, Etc. Founder, IT Security Expert, Global Network Security Exploitation Specialist http://www.constellationsecurity.com/greg/ wickr: statesman (whitelist mode) People are bad, therefore we need big government, made up of...PEOPLE!!! ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Al Lewis (allewi) (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Gregory W. MacPherson (May 09)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 10)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 10)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Al Lewis (allewi) (May 08)