Re: pcap DAQ does not support inline

[Michael Altizer <maltizer () sourcefire com>]

For Linux, your best bet is the NFQ DAQ module.  See the README in the 
DAQ tarball for pointers on NFQ/IPTables.

On 04/24/2013 03:47 PM, Joao Daniel Neves wrote:
> maltizer,
>
> Thank you so much! It was very enlightening.
> All inline modes needs a pair of interfaces? What would you suggest on 
> this scenario ?
>
> ------------------------------------------------------------------------
> Date: Wed, 24 Apr 2013 15:36:09 -0400
> From: maltizer () sourcefire com
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] pcap DAQ does not support inline
>
> You will not be able to use the AFPacket DAQ module in that scenario.  
> The AFPacket DAQ module manually forwards packets completely 
> unmodified back and forth across an interface pair (or pairs) when it 
> is in inline mode (unless Snort modifies the packet).  This means 
> there will be no routing decisions, MAC address updates, or TTL 
> drecrements involved.  Also, if you're actively having the OS do the 
> routing (or bridging), you will end up with duplicate packets being 
> generated by the box.  AFPacket operates on copies of packets received 
> on a given interface, and may then send out a packet based on that 
> copy in inline mode if the packet was not dropped, all of which 
> happens in parallel with any other processing the OS is doing with the 
> original packet.
>
> On 04/24/2013 03:11 PM, Joao Daniel Neves wrote:
>
>     YM
>     I'm a bit ashamed. What I cant understand is if I'm running Snort
>     in a router and eth0 and eth1 are been used to route packages, I
>     will not be able to use Snort inline mode with this scenario?
>
>     I tried (on a test enviroment) and it doesn't seems to work.
>
>     I think I may be doing something wrong.
>
>     ------------------------------------------------------------------------
>     To: joaodanielnevesss () hotmail com
>     <mailto:joaodanielnevesss () hotmail com>
>     CC: snort-users () lists sourceforge net
>     <mailto:snort-users () lists sourceforge net>
>     From: snort () outlook com <mailto:snort () outlook com>
>     Subject: RE: [Snort-users] pcap DAQ does not support inline
>     Date: Wed, 24 Apr 2013 19:15:39 +0300
>
>     eth0 and eth1 will be used by Snort only to pass traffic inline.
>
>     The third interface I mentioned earlier; eth2 will be used for
>     management. In this case you will not be interfering with the
>     traffic.
>     ------------------------------------------------------------------------
>     From: Joao Daniel Neves <mailto:joaodanielnevesss () hotmail com>
>     Sent: ‎4/‎24/‎2013 6:56 PM
>     To: Y M <mailto:snort () outlook com>
>     Cc: snort-users () lists sourceforge net
>     <mailto:snort-users () lists sourceforge net>
>     Subject: RE: [Snort-users] pcap DAQ does not support inline
>
>     YM,
>
>     But if this pair of interfaces are being used to normal traffic.
>     Example:
>
>     /usr/local/bin/snort  —daq afpacket -Q -c /etc/snort/snort.conf -i
>     eth0:eth1
>
>     if a database is listening on interface eth1, I cant acess this
>     database. I cant acess anything listening on eth0 and eth1.
>
>     Will I need and a pair of 'idle' interfaces?
>
>
>
>     ------------------------------------------------------------------------
>     To: joaodanielnevesss () hotmail com
>     <mailto:joaodanielnevesss () hotmail com>
>     CC: snort-users () lists sourceforge net
>     <mailto:snort-users () lists sourceforge net>
>     From: snort () outlook com <mailto:snort () outlook com>
>     Subject: RE: [Snort-users] pcap DAQ does not support inline
>     Date: Wed, 24 Apr 2013 17:20:00 +0300
>
>     The two interfaces will be used by Snort, you will need a third
>     interface for management, i.e.: ssh, database, etc.
>
>     Also don't forget to set the daq mode, look for --daq-mode
>
>     I haven't used ipfw, so i can't add on that.
>
>     Please, when you reply, reply to the entire list, everybody
>     benefits :)
>     ------------------------------------------------------------------------
>     From: Joao Daniel Neves <mailto:joaodanielnevesss () hotmail com>
>     Sent: ‎4/‎24/‎2013 4:28 PM
>     To: Y M <mailto:snort () outlook com>
>     Subject: RE: [Snort-users] pcap DAQ does not support inline
>
>     HI,
>
>     YM,
>
>     /usr/local/bin/snort  —daq afpacket -Q -c /etc/snort/snort.conf -i
>     eth0:eth1
>
>     I'm using this line to start snort. As I searched afpacket need
>     two interfaces:
>
>     /"In order to have an inline deployment you need at least one pair
>     ofinterfaces for the traffic to flow through. To that end, you
>     need tospecify a second interface for AFPacket to use to complete
>     the bridge."
>     /
>     But for some reason when I used two interfaces things got weired.
>     I lost SSH acess to snort. I think that the reason is because the
>     traffic flow through one interface to another. Do you have some
>     clues about this issue ?
>
>     My avaliable daq modules are
>
>     pcap(v3): readback live multi unpriv
>     ipfw(v2): live inline multi unpriv
>     dump(v1): readback live inline multi unpriv
>     afpacket(v4): live inline multi unpriv
>
>     With module can I use to enable in line module without needing to
>     specify two interfaces?
>     I think that it would be ipfw, but as far as I know ipfw is for
>     bsd and I'm not using bsd.
>
>     ------------------------------------------------------------------------
>     To: joaodanielnevesss () hotmail com
>     <mailto:joaodanielnevesss () hotmail com>;
>     snort-users () lists sourceforge net
>     <mailto:snort-users () lists sourceforge net>
>     From: snort () outlook com <mailto:snort () outlook com>
>     Subject: RE: [Snort-users] pcap DAQ does not support inline
>     Date: Mon, 22 Apr 2013 18:56:45 +0300
>
>     pcap does not support inline mode, it is meant for passive mode
>     only. Instead, use afpacket for inline mode.
>
>     To make sure it is installed, run Snort as
>
>     snort --daq-list
>
>     This will return a list of the installed daq modules.
>     ------------------------------------------------------------------------
>     From: Joao Daniel Neves <mailto:joaodanielnevesss () hotmail com>
>     Sent: ‎4/‎22/‎2013 6:47 PM
>     To: snort-users () lists sourceforge net
>     <mailto:snort-users () lists sourceforge net>
>     Subject: [Snort-users] pcap DAQ does not support inline
>
>     Hi,
>
>     I'm getting this error when running Snort in inline mode "ERROR:
>     pcap DAQ does not support inline". I have searched on Google, but
>     did not get any thing usefull. The point is I don't even know why
>     this happening.
>
>     What do you suggest ?
>
>     *Some informations for debugging: *
>
>     /My daq dir is /usr/local/lib/daq
>
>     ls /usr/local/lib/daq
>     daq_afpacket.la
>     daq_afpacket.so
>     daq_dump.la
>     daq_dump.so
>     daq_ipfw.la
>     daq_ipfw.so
>     daq_pcap.la
>     daq_pcap.so
>
>     I tryed to start Snort with
>
>     /usr/local/bin/snort -Q -i eth1 --daq-dir /usr/local/lib/daq/ -c
>     /etc/snort/snort.conf
>     /usr/local/bin/snort -Q -de *--daq nfq* --daq-dir
>     /usr/local/lib/daq -c /etc/snort/snort.conf
>     /usr/local/bin/snort  —daq pcap -Q -c /etc/snort/snort.conf -i
>     eth0:eth1
>     /usr/local/bin/snort -Q -c /etc/snort/snort.conf -i eth0:eth1
>
>     None of them worked.
>
>     Some more informations
>
>     /usr/lib/libpcap.a
>     /usr/lib/libpcap.so
>     /usr/lib/libpcap.so.0
>     /usr/lib/libpcap.so.0.9
>     /usr/lib/libpcap.so.0.9.4
>     /usr/lib/libpcap.so.1
>     /usr/lib/libpcap.so.1.3.0
>     /usr/lib64/libpcap.so.0
>     /usr/lib64/libpcap.so.0.9
>     /usr/lib64/libpcap.so.0.9.4
>     /usr/local/lib/libpcap.a
>     /usr/local/lib/libpcap.so
>     /usr/local/lib/libpcap.so.1
>     /usr/local/lib/libpcap.so.1.3.0
>     /usr/local/lib/daq/daq_pcap.la
>     /usr/local/lib/daq/daq_pcap.so/
>
>     Maybe those multiple versions of pcap are causing the error ?
>
>     ------------------------------------------------------------------------------
>     Precog is a next-generation analytics platform capable of advanced
>     analytics on semi-structured data. The platform includes APIs for
>     building apps and a phenomenal toolset for data science.
>     Developers can use our toolset for easy data analysis &
>     visualization. Get a free account!
>     http://www2.precog.com/precogplatform/slashdotnewsletter
>     _______________________________________________ Snort-users
>     mailing list Snort-users () lists sourceforge net
>     <mailto:Snort-users () lists sourceforge net> Go to this URL to
>     change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please
>     visit http://blog.snort.org to stay current on all the latest
>     Snort news!
>
>
>     ------------------------------------------------------------------------------
>     Try New Relic Now & We'll Send You this Cool Shirt
>     New Relic is the only SaaS-based application performance monitoring service
>     that delivers powerful full stack analytics. Optimize and monitor your
>     browser, app, & servers with just a few lines of code. Try New Relic
>     and get this awesome Nerd Life shirt!http://p.sf.net/sfu/newrelic_d2d_apr
>
>
>
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users () lists sourceforge net  <mailto:Snort-users () lists sourceforge net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>
>
>
> ------------------------------------------------------------------------------ 
> Try New Relic Now & We'll Send You this Cool Shirt New Relic is the 
> only SaaS-based application performance monitoring service that 
> delivers powerful full stack analytics. Optimize and monitor your 
> browser, app, & servers with just a few lines of code. Try New Relic 
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
> _______________________________________________ Snort-users mailing 
> list Snort-users () lists sourceforge net Go to this URL to change user 
> options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive: 
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!