Re: Snort and PF_RING DAQ

[Joel Esler <jesler () sourcefire com>]

Please let me know if I can help by hosting on Snort.org, linking to you from Snort.org, blog post, etc.  

-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager


On Wednesday, June 6, 2012 at 6:52 AM, Jaime Nebrera wrote:

> Hi Peter,
>
> We have been working along the same lines and hope to make our DAQ 
> public very soon. We are just preparing the website to support this effort.
>
> On 06/06/12 12:40, Peter Bates wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > Hello all
> >
> > I've been testing a recent Snort and PF_RING (5.4.x) from SVN
> > and the DAQ bundled with that.
> >
> > Obviously the DAQ is slightly 'non-standard' as it is not bundled with
> > the usual DAQ distribution.
> >
> > During test I notice that the DAQ cannot acquire traffic unless Snort
> > is running as root - something I've avoided doing with Snort by
> > specifying a specific user/group with -u and -g for many years.
> >
> > Is this privilege problem a fault of PF_RING, or a problem with Snort
> > not dropping privileges at the right point?
> >
> > Thanks.
> >
> > - -- 
> > Peter Bates
> > Senior Computer Security Officer Phone: +44(0)2076792049
> > Information Services Division Internal Ext: 32049
> > University College London
> > London WC1E 6BT
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v2.0.17 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iQEcBAEBAgAGBQJPzzOgAAoJELhVoVpEMS6RhIkH/izHttzTWEBjM5Gi1aRNEs2n
> > nlW3AGQbrOeV6ZNRTucVThL2sH0qOd3fylDm57Yz1LVhVIWMogzQt3q81ql5uFYf
> > YmyqXgyunaXX8/Bd3B0UbZ4r//YsJH5o1LKbD91x3+4lQqduFk8x4/CiWlLp9dOt
> > 6HqLt7NPbQSrdvEYAcbiYild7LbhFJ4x5CNH9367D5TxQjO9oP6TnhyemiE0/n3z
> > SUxz7mMLH1Ap3FISCCW71GcRSpb9r/b6Vyyk67htjm/WQASlyqH3YfsG1DGWhsNf
> > 2dKkM2Aoy2nBdHxKxP7eMa9TWSqHV8EouEcpvn+A6ptHIc8KqzwEFq1ZbCo2sQM=
> > =FIrk
> > -----END PGP SIGNATURE-----
> >
> >
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news! 

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!