Snort mailing list archives
snort inline mode does not capture traffic destined to other machine on the internal network
From: Abdallah Jabbour <abdjbr () gmail com>
Date: Fri, 8 May 2015 18:16:13 +0200
Hello ,
i have setup snort in inline mode and tested it by adding a rule in
/etc/snort/rules/local.rules :
alert icmp any any -> any any (msg:"Ping Testing"; sid:1000003;rev:1;)
i am running snort as a service and i added two pairs of network interfaces
to to /etc/sysconfig/snort
INTERFACE="eth0:eth0.1::eth1:eth1.1"
where eth0.1 and eth1.1 does not have IP address and have enabled
promiscuous mode for all network interfaces
but in /var/log/snort/alert i get alert from previously defined rule only
when i ping an external host or when i ping one of the interfaces of the
snort machine
i can confirm than snort is running in inline mode and acquiring network
traffic from all network interfaces from /var/log/messages
afpacket DAQ configured to inline.
Acquiring network traffic from "eth0:eth0.1::eth1:eth1.1".
Initializing daemon mode
Daemon initialized, signaled parent pid: 1726
Reload thread starting...
Reload thread started, thread 0x7f2f0055c700 (1746)
Checking PID path...
PID path stat checked out ok, PID path set to /var/run/
Writing PID "1745" to file "/var/run//snort_eth0:eth0.1::eth1:eth1.1.pid"
--== Initialization Complete ==--
Commencing packet processing (pid=1745)
Decoding Ethernet
device eth1.1 entered promiscuous mode
device eth1 entered promiscuous mode
device eth0.1 entered promiscuous mode
device eth0 entered promiscuous mode
i cannot get any traffic local hosts pinging each other ( on the internal
network ) .
please assist
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Al Lewis (allewi) (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Gregory W. MacPherson (May 09)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 10)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 10)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Abdallah Jabbour (May 08)
- Re: snort inline mode does not capture traffic destined to other machine on the internal network Al Lewis (allewi) (May 08)