Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Multipal configurations: ids and ips modes.

From: Oleg Gvozdev <jktu17 () gmail com>
Date: Tue, 7 May 2013 12:31:02 +0400
Hello
I have snort 2.9.3.1 and afpacket daq installed.

*MY GOAL:*

1. create several (e.g. 2) configurations of snort using "config binding"
2. have different modes in this configuration, for exeample: conf1 will run
in tap mode and conf2 (binded) will run in inline mode.
3.only on snort process must be run to acheive this goal


*QUESTIONS: *

*1. Is it possible?* I could'nt do it, because i need to specify "-Q" flag
for inline mode which is global and have the next problems:

1.to run snort in inline i need to specify "-Q" (w/o it snort complains:
"Adapter is in Passive Mode. Hence switching policy mode to tap.")
2.but with -Q switch i have an error from conf1:  "FATAL ERROR: DAQ
'passive' mode incompatible with -Q! "

PS: from manual: config daq_* options is not configuration-specific and
they are global; but config policy_mode is config-specific and may differ
in case of multi-configurations config; so this is the problem.

PPS:
Here is my config (only topic-related things):

*File /etc/conf1.conf:*
config daq_dir : /usr/lib/daq
config daq : afpacket
config daq_mode : passive
config policy_mode : tap
config interface : eth1
config binding : /etc/conf2.conf net 10.0.0.0/24
config policy_version : base-version
config policy_id : 0

*File /etc/conf2.conf:*
config policy_mode : inline
config interface : eth1:eth2
config policy_version : base-version sub-version
config policy_id : 1


*2. Another question*: in case of multiple configurations: is it necessary
to include "config policy_id" options in each configurations and is option
"config policy_version :" is necessary ? May be I only need to use "config
binding FILE net IP" ?

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: