Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort inline

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 7 Mar 2019 18:34:19 +0000
Hello,

See the readme file that comes with the daq download for complete details…


AFPACKET Module
===============

afpacket functions similar to the pcap DAQ but with better performance:

    ./snort --daq afpacket -i <device>
            [--daq-var buffer_size_mb=<#MB>]
            [--daq-var debug]

If you want to run afpacket in inline mode, you must craft the device string as
one or more interface pairs, where each member of a pair is separated by a
single colon and each pair is separated by a double colon like this:

    eth0:eth1

or this:

    eth0:eth1::eth2:eth3

By default, the afpacket DAQ allocates 128MB for packet memory.  You can change
this with:

    --daq-var buffer_size_mb=<#MB>

Note that the total allocated is actually higher, here's why.  Assuming the
default packet memory with a snaplen of 1518, the numbers break down like this:

* The frame size is 1518 (snaplen) + the size of the AFPacket header (66
  bytes) = 1584 bytes.

* The number of frames is 128 MB / 1518 = 84733.

* The smallest block size that can fit at least one frame is  4 KB = 4096 bytes
  @ 2 frames per block.

* As a result, we need 84733 / 2 = 42366 blocks.

* Actual memory allocated is 42366 * 4 KB = 165.5 MB.

NOTE: Linux kernel version 2.6.31 or higher is required for the AFPacket DAQ
module due to its dependency on both TPACKET v2 and PACKET_TX_RING support.

Thanks.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>


From: Snort-users <snort-users-bounces () lists snort org> on behalf of Lucero Guerrero Flores <lucero.guerrero () 
ipicyt edu mx>
Date: Thursday, March 7, 2019 at 12:56 PM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] Snort inline


Dear. Could you help me know how to configure snort ids to snort inline with daq af_packets? I have installed Snort 3 
on Ubuntu server 18.04. Thank you.

--
--
   TSU. Lucero Guerrero Flores
   Analista de seguridad informática


    Instituto Potosino de Investigación Científica y Tecnológica, A.C.


    Camino a la Presa San José 2055, Lomas 4a. secc.


   Ext.2716  Cel. (444)1206676




   [Resultado de imagen para imagen  de cns-ipicyt]



    www.cns-ipicyt.mx<http://www.cns-ipicyt.mx/>

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: