Snort mailing list archives
Re: PF_RING and DNA with Snort
From: Avery Rozar <Avery.Rozar () i-techsupport com>
Date: Fri, 16 Aug 2013 17:35:40 +0000
I finally got snort running with pf_ring daq. /usr/sbin/snort -Q -D -i eth0:eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort But it's not passing any traffic. If I use afpacket, it works as expected. I'm running snort as a daemon, but I get the same when I run it form the command line. I installed the driver from the following directory. /PF_RING-5.6.0/drivers/PF_RING_aware/intel/igb/igb-4.1.2/src/ Here is my daq from fog fronn snort.conf config daq: pfring config daq_dir: /usr/local/lib/daq config daq_mode: inline config daq_var: clusterid=10,11,12,13 snort --daq-list=/usr/local/lib/daq/ Available DAQ modules: pfring(v1): live inline multi unpriv pcap(v3): readback live multi unpriv ipfw(v3): live inline multi unpriv dump(v2): readback live inline multi unpriv afpacket(v4): live inline multi unpriv This is from /etc/sysconfig/snort QUEUE=1 INTERFACE=eth0:eth1 CONF=/etc/snort/snort.conf pf_ring module that was loaded pf_ring.ko enable_tx_capture=1 min_num_slots=8192 transparent_mode=2 Output from pfcount ./pfcount -i eth0 Using PF_RING v.5.6.0 Capturing from eth0 [00:E0:ED:25:A8:48][ifIndex: 8] # Device RX channels: 1 # Polling threads: 1 Dumping statistics on /proc/net/pf_ring/stats/6244-eth0.14 ========================= Absolute Stats: [0 pkts rcvd][0 pkts filtered][0 pkts dropped] Total Pkts=0/Dropped=0.0 % 0 pkts - 0 bytes ========================= ========================= Absolute Stats: [1 pkts rcvd][1 pkts filtered][0 pkts dropped] Total Pkts=1/Dropped=0.0 % 1 pkts - 84 bytes [1.00 pkt/sec - 0.00 Mbit/sec] ========================= Actual Stats: 1 pkts [1'000.09 ms][1.00 pps/0.00 Gbps] ========================= ========================= Absolute Stats: [2 pkts rcvd][2 pkts filtered][0 pkts dropped] Total Pkts=2/Dropped=0.0 % 2 pkts - 168 bytes [1.00 pkt/sec - 0.00 Mbit/sec] ========================= Actual Stats: 1 pkts [1'000.09 ms][1.00 pps/0.00 Gbps] ========================= ========================= Absolute Stats: [3 pkts rcvd][3 pkts filtered][0 pkts dropped] Total Pkts=3/Dropped=0.0 % 3 pkts - 252 bytes [1.00 pkt/sec - 0.00 Mbit/sec] ========================= Actual Stats: 1 pkts [1'000.08 ms][1.00 pps/0.00 Gbps] ========================= On 8/15/13 1:51 PM, "Avery Rozar" <Avery.Rozar () i-techsupport com> wrote:
Yea I did see that this morning as I read the prerequisites. Thanks for your help, I did get pf_ring working properly. Now I just think I'm having issues with the Silicom card, I'm not passing traffic.. On 8/15/13 1:41 PM, "Tim Covel" <tcovel () metaflows com> wrote:I'm pretty sure you still need the normal daq installed, it's listed as prerequisite for the pfring-daq-module. Also the normal daq install provides other modules, such as afpacket, which can be really useful in testing. -Tim On 08/15/2013 04:12 AM, Avery Rozar wrote:Thanks Tim. Do you know if its still necessary to install daq 2.0.1, or should I just used the daq install from "PF_RING/userland/snort/pfring-daq-module/"? Thanks. On 8/14/13 4:26 PM, "Tim Covel" <tcovel () metaflows com> wrote:It looks like in newer versions of PF_RING you have to specify multiple clusterid values when using inline mode: pfring-daq-module/README.1st suggests: "--daq-var clusterid=10,11" in the IPS example. and also explains the clusterid var as: "--daq-var clusterid=<comma separated id list> where an id is a number (i.e. the clusterId), one for each interface." It also looks like you are not currently using DNA interfaces, you need to make sure to load the correct driver (PF_RING/drivers/DNA/<driver version>) and start snort using the DNA interfaces the driver creates if you want to use DNA. -Tim On 08/14/2013 12:18 PM, Avery Rozar wrote:Is there an up to date example of using pfring, and dan with Snort? I used the metaflows example, and am running into issues when trying to run snort Using this I get an error snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir /usr/local/lib/daq --daq pfring --daq-var clusterid=10 --daq-mode inline Q pfring DAQ configured to inline. eth0 <-> eth1 ERROR: Can't initialize DAQ pfring (-1) - pfring_daq_initialize: not enough cluster ids (1) Fatal Error, Quitting.. And using this I get an error snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir /usr/local/lib/daq --daq pfring --daq-mode inline Q pfring DAQ configured to inline. eth0 <-> eth1 ERROR: Can't initialize DAQ pfring (-1) - Fatal Error, Quitting.. Any help would be great! ---------------------------------------------------------------------- - -- ----- Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.c l kt rk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!----------------------------------------------------------------------- - -- ---- Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.cl k tr k _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-------------------------------------------------------------------------- ---- Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktr k _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PF_RING and DNA with Snort Avery Rozar (Aug 14)
- Re: PF_RING and DNA with Snort Tim Covel (Aug 14)
- Re: PF_RING and DNA with Snort Avery Rozar (Aug 15)
- Re: PF_RING and DNA with Snort Tim Covel (Aug 15)
- Re: PF_RING and DNA with Snort Avery Rozar (Aug 15)
- Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
- Re: PF_RING and DNA with Snort Scott Finlon (Aug 16)
- Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
- Message not available
- Re: PF_RING and DNA with Snort Y M (Aug 16)
- Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
- Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
- Re: PF_RING and DNA with Snort Avery Rozar (Aug 15)
- Re: PF_RING and DNA with Snort Tim Covel (Aug 14)