Snort mailing list archives
Re: pcap DAQ does not support inline
From: Y M <snort () outlook com>
Date: Wed, 24 Apr 2013 19:15:39 +0300
eth0 and eth1 will be used by Snort only to pass traffic inline. The third interface I mentioned earlier; eth2 will be used for management. In this case you will not be interfering with the traffic. ________________________________ From: Joao Daniel Neves<mailto:joaodanielnevesss () hotmail com> Sent: 4/24/2013 6:56 PM To: Y M<mailto:snort () outlook com> Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: RE: [Snort-users] pcap DAQ does not support inline YM, But if this pair of interfaces are being used to normal traffic. Example: /usr/local/bin/snort —daq afpacket -Q -c /etc/snort/snort.conf -i eth0:eth1 if a database is listening on interface eth1, I cant acess this database. I cant acess anything listening on eth0 and eth1. Will I need and a pair of 'idle' interfaces? To: joaodanielnevesss () hotmail com CC: snort-users () lists sourceforge net From: snort () outlook com Subject: RE: [Snort-users] pcap DAQ does not support inline Date: Wed, 24 Apr 2013 17:20:00 +0300 The two interfaces will be used by Snort, you will need a third interface for management, i.e.: ssh, database, etc. Also don't forget to set the daq mode, look for --daq-mode I haven't used ipfw, so i can't add on that. Please, when you reply, reply to the entire list, everybody benefits :) From: Joao Daniel Neves Sent: 4/24/2013 4:28 PM To: Y M Subject: RE: [Snort-users] pcap DAQ does not support inline HI, YM, /usr/local/bin/snort —daq afpacket -Q -c /etc/snort/snort.conf -i eth0:eth1 I'm using this line to start snort. As I searched afpacket need two interfaces: "In order to have an inline deployment you need at least one pair of interfaces for the traffic to flow through. To that end, you need to specify a second interface for AFPacket to use to complete the bridge." But for some reason when I used two interfaces things got weired. I lost SSH acess to snort. I think that the reason is because the traffic flow through one interface to another. Do you have some clues about this issue ? My avaliable daq modules are pcap(v3): readback live multi unpriv ipfw(v2): live inline multi unpriv dump(v1): readback live inline multi unpriv afpacket(v4): live inline multi unpriv With module can I use to enable in line module without needing to specify two interfaces? I think that it would be ipfw, but as far as I know ipfw is for bsd and I'm not using bsd. To: joaodanielnevesss () hotmail com; snort-users () lists sourceforge net From: snort () outlook com Subject: RE: [Snort-users] pcap DAQ does not support inline Date: Mon, 22 Apr 2013 18:56:45 +0300 pcap does not support inline mode, it is meant for passive mode only. Instead, use afpacket for inline mode. To make sure it is installed, run Snort as snort --daq-list This will return a list of the installed daq modules. From: Joao Daniel Neves Sent: 4/22/2013 6:47 PM To: snort-users () lists sourceforge net Subject: [Snort-users] pcap DAQ does not support inline Hi, I'm getting this error when running Snort in inline mode "ERROR: pcap DAQ does not support inline". I have searched on Google, but did not get any thing usefull. The point is I don't even know why this happening. What do you suggest ? Some informations for debugging: My daq dir is /usr/local/lib/daq ls /usr/local/lib/daq daq_afpacket.la daq_afpacket.so daq_dump.la daq_dump.so daq_ipfw.la daq_ipfw.so daq_pcap.la daq_pcap.so I tryed to start Snort with /usr/local/bin/snort -Q -i eth1 --daq-dir /usr/local/lib/daq/ -c /etc/snort/snort.conf /usr/local/bin/snort -Q -de *--daq nfq* --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf /usr/local/bin/snort —daq pcap -Q -c /etc/snort/snort.conf -i eth0:eth1 /usr/local/bin/snort -Q -c /etc/snort/snort.conf -i eth0:eth1 None of them worked. Some more informations /usr/lib/libpcap.a /usr/lib/libpcap.so /usr/lib/libpcap.so.0 /usr/lib/libpcap.so.0.9 /usr/lib/libpcap.so.0.9.4 /usr/lib/libpcap.so.1 /usr/lib/libpcap.so.1.3.0 /usr/lib64/libpcap.so.0 /usr/lib64/libpcap.so.0.9 /usr/lib64/libpcap.so.0.9.4 /usr/local/lib/libpcap.a /usr/local/lib/libpcap.so /usr/local/lib/libpcap.so.1 /usr/local/lib/libpcap.so.1.3.0 /usr/local/lib/daq/daq_pcap.la /usr/local/lib/daq/daq_pcap.so Maybe those multiple versions of pcap are causing the error ? ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- pcap DAQ does not support inline Joao Daniel Neves (Apr 22)
- <Possible follow-ups>
- Re: pcap DAQ does not support inline Y M (Apr 22)
- Re: pcap DAQ does not support inline Y M (Apr 24)
- Re: pcap DAQ does not support inline Joao Daniel Neves (Apr 24)
- Re: pcap DAQ does not support inline Y M (Apr 24)
- Re: pcap DAQ does not support inline Joao Daniel Neves (Apr 24)
- Re: pcap DAQ does not support inline Michael Altizer (Apr 24)
- Re: pcap DAQ does not support inline Joao Daniel Neves (Apr 24)
- Re: pcap DAQ does not support inline Michael Altizer (Apr 25)
- Re: pcap DAQ does not support inline Joao Daniel Neves (Apr 24)