Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Trouble getting PF_Ring DNA and DAQ to work

From: Xavier Van Pottelbergh <Xavier.VanPottelbergh () kuleuven be>
Date: Fri, 18 Apr 2014 14:04:00 +0000
Hi,

I'm a student trying to set up snort.

I've ran into trouble trying to get multiple snort instances listening on one interface (I have too much traffic for 
one instance to handle).

I'm using a RHEL 6.5 server
Snort version:
  ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.
DAQ-version: daq-2.0.2
PF_RING version: PF_RING-5.6.2

I removed the driver and pf_ring modules (if they were loaded)
"rmmod ixgbe.ko
Rmmod pf_ring.ko"

I loaded the driver:
"cd /root/PF_RING-5.6.2/drivers/DNA/ixgbe-3.18.7-DNA/src/
Make
Insmod ixgbe.ko"

I loaded pf_ring:
"cd /root/PF_RING-5.6.2/kernel/
Make
Make install
Insmod pf_ring.ko transparent_mode=0 min_num_slots=16384"

I compiled daq with the following options:
"cd /root/daq-2.0.2/
./configure -disable-nfq-module -disable-ipq-module -with-libpcap-includes=/usr/local/include 
-with-libpcap-libraries=/usr/local/lib"

Made the PF_RING DAQ Module:
"cd /root/PF_RING-5.6.2/userland/snort/pfring-daq-module/
Autoreconf -ivf
./configure
Make
Make install"

Compiled snort like this:
"cd /root/snort-2.9.6.0/
./configure -with-libpcap-includes=/usr/local/include -with-libpcap-libraries=/usr/local/lib 
-with-libpfring-includes=/usr/local/include/daq -with-libpfring-includes=/usr/local/lib/daq -enable-sourcefire 
-enable-perfprofiling
Make
Make install"

I modified this into my init.d script:
"for i in 1 2 3 4 5 6 7 8; do
      daemon /usr/sbin/snort -A Fast -N -D -i dna1@$i -u snort -g snort -c /etc/snort/snort.conf 
-daq-dir=/usr/local/lib/daq -daq-mode passive -daq pfring &
done"

Each snort instance then fails with:
"pfring DAQ configured to passive.
FATAL ERROR: Can't initialize DAQ pfring (-1) - "

When I run snort without the daq-configuration options, snort fails with the following message:
"pcap DAQ configured to passive.
Acquiring network traffic from "dna1@3".
Initializing daemon mode
Daemon initialized, signaled parent pid: 24786
Reload thread starting...
Reload thread started, thread 0x7f149cb45700 (25309)
FATAL ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!"
The 'ip link list' command shows dna1 as up

If you need more info, please ask so I can provide it.

Thank you in advance.


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: