Re: Snort in Inline Mode on CentOS 6.3

[Y M <snort () outlook com>]

It will be largely dependant on the output plugin you are using. In case of Snorby, although I don't use it, will 
eventually read from a database; MySQL. In this case, it is a practice to let Snort output to unified2, and let 
barnyard2 parse unfied2 logs into the database, from which Snorby will read data.

Hope you get your setup done.

YM
________________________________
From: Okeowo, Ayo<mailto:gadmin () cyberdrobe com>
Sent: ‎2/‎6/‎2013 6:43 PM
To: Y M<mailto:snort () outlook com>
Subject: Re: [Snort-users] Snort in Inline Mode on CentOS 6.3

YM,

Thanks for the response. I would have never have thought of increasing my
interfaces (virtual interfaces) to 3 to make it work. I will try that when
I get home and let you know.

So this will allow my drop and alert rules to pop-up on Snorby? Once it
works I will then go ahead and configure preprocessor etc.

And I also hope to combine my command line with --alert-before-pass switch.

On Wed, Feb 6, 2013 at 10:28 AM, Y M <snort () outlook com> wrote:

>  You will need 3 interfaces. Two will be in transparent mode and the
> third will be used for management. When you run Snort in inline mode, you
> would use, for example: -i eth0:eth1, or the bridge if you will be using a
> bridge and eth3 for management.
>
> YM
>  ------------------------------
> From: Okeowo, Ayo <gadmin () cyberdrobe com>
> Sent: 2/6/2013 6:22 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Snort in Inline Mode on CentOS 6.3
>
>  Hello Folks,
>
> Has anyone successfully setup Snort 2.9.4 on CentOS 6.3 with functioning
> IPS(Inline Mode) using 2 interfaces (1 for sniffing traffic and 2nd for
> management)?
>
> I'm having a few issues, although I haven't sat down to address it yet due
> to my day job sucking my time. The first issue is, if I use 1 interface and
> put Snort to Inline Mode, my drop rules don't work. Second, if I use 2
> interfaces, both Alert and Drop rules cease to work and I get nothing on
> Snorby.
>
> Any insight to this issue will be appreciated. Like I said I haven't sat
> down to troubleshoot this issue but your response will help.
>
> Thanks.
> Ayo
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!