Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP INSPECT fails on Mirror Port

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 23 Jul 2014 05:54:32 -0600
On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:

Did try with
For Snort :
./configure --with-dnet-includes=/opt/include/
--with-dnet-libraries=/opt/lib --enable-sourcefire
--enable-non-ether-decoders
The behaviour is the same

For DAQ : # ./configure --with-dnet-includes=/opt/include/
--with-dnet-libraries=/opt/lib
Build AFPacket DAQ module.. : no
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

Not sure why AFPacket fails. But since the testbed is TAP mode , i did not care.


On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net> wrote:

On 2014-07-21 10:41, Anand Raj Manickam wrote:

My understanding was you do not need afpacket for mirror port, since
the setting was pcap - passive. Please correct me if i m wrong.
snort was configured with ./configure --with-dnet-includes=/xyz
--with-dnet-libraries=/xyz
DAQ without any parameters

On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net>
wrote:

On 2014-07-21 09:52, Anand Raj Manickam wrote:

Hi James,
I have attached the pcap.
Thanks,
Anand


Technically I believe you are right, but at this stage, I'm playing
"spot the differences".  My snort config line:

./configure --prefix=/opt --enable-sourcefire
--with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders

and my daq config and and snippet of that output:

./configure --prefix=/usr

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes

How does your differ?

James


At this point I'm out of ideas...perhaps one of the devs can assist.

James


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: