OK let me start off with thanks for checking my post.

I am running snort in a single process to monitor a software bridge (br0) interface. I am receiving data that is being read fine by snort and being inserted into my database. I am however concerned that all data might not be getting into snort, because iptables might be dropping most of the layer2 packets. Eth1-5 do not have IP addresses assigned to them. I'm not seeing the throughput I would expect given the amount of traffic on the wire. Does anybody have any idea if I'm doing this wrong? "ifconfig" doesn't report any drops and snort is running happily along at about %20 cpu usage on a dual core 3GHZ XEON @ 800MHZ bus speed.

I'm not an iptables guy but I have added the following to the ACCEPT Chain. I read somewhere that IPTABLES blocks layer 2 by default but I can't figure out where to turn it off.


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
220 22180 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- br0 any anywhere anywhere
0 0 ACCEPT all -- eth5 any anywhere anywhere
0 0 ACCEPT all -- eth4 any anywhere anywhere
0 0 ACCEPT all -- eth3 any anywhere anywhere
0 0 ACCEPT all -- eth2 any anywhere anywhere
0 0 ACCEPT all -- eth1 any anywhere anywhere



OS: Centos 5.4 i386 2.6.18-194.3.1.el5
iptables-1.3.5-5.3.el5_4.1
bridge-utils-1.1-2

NICS 2x embedded, 1x Intel Quad port PCIe card (6x NICS total)

I am currently running snort Version 2.8.5.1 (Build 114)

I have installed bridge-utils and added NIC Eth1-5 to the bridge (Eth0 is management)

used brctl to add nics to to the bridge.
bridge name bridge id STP enabled interfaces
br0 xxxx.xxxxxxxxxxxx no eth5
eth4
eth3
eth2
eth1



My NICS are connected to cisco switches using the monitor mode to place the ip packets on the wire. (disallowing the switch to read packets back).




THANKS!!!!!!!!!!!!

You would want to check ebtables to filter L2. Iptables only deals with L3 and slightly upwards.