Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: trouble with inline mode

From: VM PC <packetstack () gmail com>
Date: Wed, 27 Aug 2014 10:06:27 -0400
Hello Richard,

If possible, add another interface to your sensor for management and remove
the IP addresses from the interfaces used for inline operation. I have had
many problems before when doing testing and using only two interfaces.

The thing that stands out is that you are trying to communicate between two
different networks. Are you also routing/nat on that snort sensor?


On Wed, Aug 27, 2014 at 9:52 AM, Richard Smollett <yawningdogge () gmail com>
wrote:


IP setup looks like this.

root@snort:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:fd:b5:c4
          inet addr:*172.28.61.104*  Bcast:172.28.61.127  Mask:
*255.255.255.128*
          inet6 addr: fe80::a00:27ff:fefd:b5c4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:472894 errors:5 dropped:15 overruns:0 frame:0
          TX packets:15266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:129789824 (123.7 MiB)  TX bytes:2332609 (2.2 MiB)
          Interrupt:10 Base address:0xd020

eth1      Link encap:Ethernet  HWaddr 08:00:27:97:66:ff
          inet addr:*192.168.123.1*  Bcast:192.168.123.255  Mask:
*255.255.255.0*
          inet6 addr: fe80::a00:27ff:fe97:66ff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:438796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:962 (962.0 B)  TX bytes:123829936 (118.0 MiB)
          Interrupt:9 Base address:0xd240

The eth0 interface is the outside and eth1 is inside. I'm starting snort
with this command.

snort --daq afpacket -i eth0:eth1 --daq-mode inline -c
/etc/snort/snort.conf

But I still cannot ping an inside host from the outside. I can ping
between the snort device and inside/ouside hosts. If I ping an inside host
from the outside, tcpdump shows the icmp echo request arriving but no
reply. Inside host ip is 192.168.123.2.

Can anyone recommend some other troubleshooting steps or suggest where I
may have left anything out of the setup?


------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: