Snort mailing list archives

Re: Snort in IPS mode

From: turki <turki_00 () yahoo com>
Date: Mon, 16 May 2011 11:10:38 -0700 (PDT)

The reason behind my single interface approach is that I want to run Snort (inline mode) in Amazon cloud and I was 
stopped by the fact that they only allow 1 interface for every running virtual machine instance in EC2.

Thank you Michael for sharing your knowledge.



--- On Mon, 5/16/11, Michael Altizer <maltizer () sourcefire com> wrote:

From: Michael Altizer <maltizer () sourcefire com>
Subject: Re: [Snort-users] Snort in IPS mode
To: snort-users () lists sourceforge net
Received: Monday, May 16, 2011, 9:53 PM



  

    
  This is not possible with the current AFPacket DAQ module since I
    never really thought to do that, but it could be modified to do so
    (check if an instance for that interface already exists when opening
    each interface and reuse it instead of trying to reopen and
    failing).  You may be able to do something like that with IPTables
    and the NFQ DAQ module, but I couldn't say for sure.

    

    On 05/16/2011 09:42 AM, turki wrote:
    
      
        
          
            What if I only have
              single interface card "eth0" ?

              can I redirect/pair the traffic to itself (i know it is
              kind of silly statement)

              something like this:

              

              snort -Q --daq afpacket -i eth0:eth0 -c snort.conf

              

              --- On Mon, 5/16/11, Michael Altizer <xiche () verizon net>
              wrote:

              

                From: Michael Altizer <xiche () verizon net>

                Subject: Re: [Snort-users] Snort in IPS mode

                To: snort-users () lists sourceforge net

                Received: Monday, May 16, 2011, 6:27 AM

                

                 On 05/15/2011 08:09 PM, turki
                  wrote:
                  
                    
                      
                        
                          Hi,

                            I am new to snort, so i need help here.

                            

                            I am trying to run snort in inline mode with
                            the following command:

                            snort -Q --daq afpacket -i eth0 -c
                            snort.conf

                            

                            but snort initialization keeps failing with
                            error message:

                            

                            afpacket DAQ configured to inline.

                            ERROR: Can't initialize DAQ afpacket (-1) -
                            afpacket_daq_initialize: Invalid interface
                            specification: 'eth0'!

                            Fatal Error, Quitting..

                          
                        
                      
                    
                  
                  In order to have an inline deployment you need at
                  least one pair of interfaces for the traffic to flow
                  through.  To that end, you need to specify a second
                  interface for AFPacket to use to complete the bridge.

                  

                  For example:

                  snort -Q --daq afpacket -i eth0:eth1 -c snort.conf

                  

                  or (two inline pairs):

                  

                  snort -Q --daq afpacket -i eth0:eth1::eth2:eth3 -c
                  snort.conf

                
                

              
            
          
        
      
    
    

  

-----Inline Attachment Follows-----

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
-----Inline Attachment Follows-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort in IPS mode turki (May 15)
- Re: Snort in IPS mode Michael Altizer (May 15)
  - Re: Snort in IPS mode turki (May 16)
    - Re: Snort in IPS mode Michael Altizer (May 16)
    - Re: Snort in IPS mode turki (May 16)
    - Re: Snort in IPS mode Jason Brvenik (May 18)
    - Re: Snort in IPS mode turki (May 16)
    - Re: Snort in IPS mode Will Metcalf (May 16)
    - Re: Snort in IPS mode turki (May 17)
    - Re: Snort in IPS mode Will Metcalf (May 17)
    - Re: Snort in IPS mode turki (May 17)
    - Re: Snort in IPS mode Russ Combs (May 17)
    - Re: Snort in IPS mode turki (May 17)
    - Re: Snort in IPS mode Russ Combs (May 17)
    - Re: Snort in IPS mode Russ Combs (May 17)

(Thread continues...)