routesinlinesnort

Snort inline mode passes packets, but they never reach destination


I'm running snort in inline mode (afpacket), and here's my setup.

**VM1** (eth0: 10.0.10.20/24)
          ^
          |
          |
          v
(eth0: 10.0.10.10/24)
**Snort** 
(eth1: 10.0.20.10/24) 
          ^
          |
          |
          v
(eth0: 10.0.20.20/24) **VM2**

I run snort with this command:

sudo snort -Q -c /etc/snort/snort.conf -i eth0:eth1 -A console

My snort.conf has the following lines:

config daq: afpacket
config daq_dir: /usr/local/lib/daq/
config daq_mode: inline
config policy_mode: inline
config daq_var: buffer_size_mb=128

And my local.rules file has this one rule:

pass icmp any any -> any any (msg:"received icmp ping"; GID:1; sid:10000001; rev:001; classtype:icmp-event;)

Now, when VM1 pings VM2 (routing has been set up in both machines), I can see that Snort passes the packets from eth0 to eth1 (TX counter of eth1 gets updated). However, the packets do not leave the VM on which Snort is running and do not arrive at VM2. I do not have a clue why this is happening. When using a drop action, VM1 gets "destination unreachable", so I think Snort is running well. But the problem seems to have something to do with the host networking of the VM on which Snort is running.

Any idea why this is happening?

Thanks,


Solution

  • It seems almost impossible to have "true" inline mode with the afpacket DAQ module. I switched to using NFQueue, and everything worked out pretty well.