Snort mailing list archives
Re: No bridging support with Daq?
From: NA <dustypath () comcast net>
Date: Thu, 16 Dec 2010 16:32:20 -0800
Thanks Jason, The IFACE variable in /etc/conf.d/snort was not correct. This actually works with the bridge up although that would defeat multiple purposes. Right now that bridge is my access to ssh. I will have to search for ways to manage a Snort box. I have only two Nics, could set up a Vlan I guess or just use a 20' svga cable! I do thank you all and will post a summary for others in the forum. Bill On 12/16/10 1:58 PM, Jason Wallace wrote:
Just bring the interfaces up with no IP addresses. They do not need to be bridged. snort/afpacket will handel pasing the traffic from one interface to another. If you are using the standard install from the ebuild put the following in your snort.conf config daq: afpacket config daq_mode: inline config daq_dir: /usr/lib64/daq/ and then in /etc/conf.d/snort set IFACE to eth0:eth1 (or what ever you are using). Also are you using daq 0.3? If so, 0.4 is in portage as is snort 2.9.0.2. DAQ 0.4 resolves an issue where not all the daq modules were actually being built. http://forums.gentoo.org/viewtopic-t-848607-highlight-.html Again, this was resolved in 0.4 On Thu, Dec 16, 2010 at 4:30 PM, NA<dustypath () comcast net> wrote:With /usr/bin/snort --daq-dir /usr/lib64/daq --daq-mode inline --daq afpacket -i eth0:eth1 This started, but ignored afpacket, I assume because the bridge needs to go away. I am not however following the statement that afpacket will take care of the bridge, begging the question, how do I set up the interfaces? I would appreciate more documentation on DAQ. OUTPUT: Running in packet dump mode <snip> I have read the DAQ and Snort DAQ tarballs and can not get the interface loaded the via snort.conf, probably missing something, confusing passing the interface to DAQ with the interface Snort needs to listen on..one and the same though? I have not looked/changed much in snort.conf yet. I will try "config interface: eth0:eth1" again with the bridge deleted but would appreciate any further comments. Thanks On 12/16/10 12:53 PM, Russ Combs wrote:On Thu, Dec 16, 2010 at 3:44 PM, Jason Wallace <jason.r.wallace () gmail com<mailto:jason.r.wallace () gmail com>> wrote: On Thu, Dec 16, 2010 at 3:37 PM, Russ Combs<rcombs () sourcefire com <mailto:rcombs () sourcefire com>> wrote: > > > On Thu, Dec 16, 2010 at 3:30 PM, Jason Wallace <jason.r.wallace () gmail com<mailto:jason.r.wallace () gmail com>> > wrote: >> >> The issue with Gentoo and the IPQ and NFQ DAQs is that the current >> ebuild for libdnet does not compile with PIC so we get relocation >> errors when we try to build those DAQs. We need to get the libdnet >> package maintainer to roll a package with the PIC USE flag before I >> can add IPQ and NFQ support to the DAQ ebuild. >> >> If you use afpacket you shouldn't need to bridge should you? Isn't >> that the point of assigning interface pairs? >> >> ./snort --daq afpacket -i eth0:eth1 >> >> Rather than... >> >> ./snort --daq afpacket -i bond0 > > Correct. config daq_var: device=eth1:eth0 is not correct. > Did you mean is correct? Yes - what Wally wrote is correct. Specifcially: ./snort --daq afpacket -i eth0:eth1 should work. > NA please check the DAQ tarball README. > > You can run as shown above or with config interface: eth0:eth1. > > The afpacket DAQ takes care of the bridging. >snip ------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- No bridging support with Daq? NA (Dec 16)
- Re: No bridging support with Daq? Russ Combs (Dec 16)
- Re: No bridging support with Daq? Jason Wallace (Dec 16)
- Re: No bridging support with Daq? Russ Combs (Dec 16)
- Re: No bridging support with Daq? Jason Wallace (Dec 16)
- Re: No bridging support with Daq? Russ Combs (Dec 16)
- Re: No bridging support with Daq? NA (Dec 16)
- Re: No bridging support with Daq? Jason Wallace (Dec 16)
- Re: No bridging support with Daq? NA (Dec 16)
- Re: No bridging support with Daq? Jason Wallace (Dec 16)
- Re: No bridging support with Daq? Russ Combs (Dec 16)
- Re: No bridging support with Daq? Gisle Vanem (Dec 16)
- Re: No bridging support with Daq? Ryan Jordan (Dec 17)
- Re: No bridging support with Daq? Ryan Jordan (Dec 17)