Snort mailing list archives

Re: Snort inline problem

From: mostafa ammar <mostafaammar79 () gmail com>
Date: Sat, 29 Oct 2016 07:25:31 +0200

Dear All,

I tried a different approach and worked for me, I used tutorial here
https://www.youtube.com/watch?v=41HLTF-8omU
the difference here is to make snort VM interfaces with ip address and this
way snort works as a router between 2 networks , and using iptables to
forward traffic to NFQ
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0
and running snort using
sudo snort --daq nfq --daq-var queue=0 -Q -c snort-2.9.8.3/etc/snort.conf
-v -A console
now snort can filter traffic normally and drop or pass traffic according to
rules , thanks a lot for your support.

On Wed, Oct 19, 2016 at 7:26 PM, mostafa ammar <mostafaammar79 () gmail com>
wrote:

Dear all,

i installed snort inline on ubuntu vm.
i configured /etc/network/interfaces with the following configuration

auto eth2
iface eth2 inet manual
    up ifconfig eth2 0.0.0.0 up
    up ip link set eth2 promisc on
    post-up ethtool -K eth2 gro off
    post-up ethtool -K eth2 lro off
    down ip link set eth2 promisc off
    down ifconfig eth2 down

# Second Bridged Interface
auto eth3
iface eth3 inet manual
    up ifconfig eth3 0.0.0.0 up
    up ip link set eth3 promisc on
    post-up ethtool -K eth3 gro off
    post-up ethtool -K eth3 lro off
    down ip link set eth3 promisc off
    down ifconfig eth3 down

currently ping is passing successfully between 2 interfaces but any other
protocol is not passing i tried ssh,rdp,http
the session is reset
any suggestion how to solve this problem?

------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort inline problem mostafa ammar (Oct 19)
- Re: Snort inline problem James Lay (Oct 19)
- Re: Snort inline problem mostafa ammar (Oct 28)
  - Re: Snort inline problem James Lay (Oct 29)
- <Possible follow-ups>
- snort inline problem mostafa ammar (Oct 20)
  - Re: snort inline problem mostafa ammar (Oct 20)
  - Re: snort inline problem James Lay (Oct 20)
- Re: Snort inline problem mostafa ammar (Oct 20)