I have such network configured on linuxes virtualized on VMware:
Host1 - Bridge (Snort-IPS installed) - Host2
I have found some tutorial made by Noah Ditrich in this case. https://sublimerobots.com/2016/02/snort-ips-inline-mode-on-ubuntu/
There is info in this tutorial that there is need to packets flowing through Snort running, not only machine, because this is only way Snort can drop packets.
There is such network interfaces configurations for packets going through Snort(IPS):
#Administrative interface
auto eth0
iface eth0 inet dhcp
#First bridged interface
auto eth1
iface eth1 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
post-up ethtool -K $IFACE gro off
post-up ethtool -K $IFACE lro off
down ip link set $IFACE promisc off
down ifconfig $IFACE down
#Second Bridged Interface
auto eth2
iface eth2 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
post-up ethtool -K $IFACE gro off
post-up ethtool -K $IFACE lro off
down ip link set $IFACE promisc off
down ifconfig $IFACE down
I need to put the same configuration by Netplan in ubuntu. I have no idea how because Netplan uses different commands. I hope Snort will be dropping packets if I put Netplan file correctly. If not, I will be looking other solution.
Solved. Snort works as bridge alone. I had to delete bridge (br0) configuration in Netplan. All you need are two network interfaces without ip address (ens38,ens39) on Snort host and command:
snort -c /.../snort.lua -i ens38:ens39 -Q --daq afpacket --daq-mode inline -A fast
So, snort was working good. I added completely unnecessarily alernative route and Snort couldn't stop there packets. Snort can only affect these packets which go through it.