Snort mailing list archives
Re: HTTP INSPECT fails on Mirror Port
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 23 Jul 2014 05:54:32 -0600
On Tue, 2014-07-22 at 18:33 +0530, Anand Raj Manickam wrote:
Did try with For Snort : ./configure --with-dnet-includes=/opt/include/ --with-dnet-libraries=/opt/lib --enable-sourcefire --enable-non-ether-decoders The behaviour is the same For DAQ : # ./configure --with-dnet-includes=/opt/include/ --with-dnet-libraries=/opt/lib Build AFPacket DAQ module.. : no Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : yes Build PCAP DAQ module...... : yes Not sure why AFPacket fails. But since the testbed is TAP mode , i did not care. On Mon, Jul 21, 2014 at 10:36 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 10:41, Anand Raj Manickam wrote:My understanding was you do not need afpacket for mirror port, since the setting was pcap - passive. Please correct me if i m wrong. snort was configured with ./configure --with-dnet-includes=/xyz --with-dnet-libraries=/xyz DAQ without any parameters On Mon, Jul 21, 2014 at 9:39 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2014-07-21 09:52, Anand Raj Manickam wrote:Hi James, I have attached the pcap. Thanks, AnandTechnically I believe you are right, but at this stage, I'm playing "spot the differences". My snort config line: ./configure --prefix=/opt --enable-sourcefire --with-dnet-libraries=/usr/local/lib --enable-non-ether-decoders and my daq config and and snippet of that output: ./configure --prefix=/usr Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes How does your differ? James
At this point I'm out of ideas...perhaps one of the devs can assist. James ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: HTTP INSPECT fails on Mirror Port, (continued)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Doug Burks (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 21)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 22)
- Re: HTTP INSPECT fails on Mirror Port James Lay (Jul 23)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 24)
- Re: [Snort-users] HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 25)
- HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 25)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 28)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Russ Combs (rucombs) (Jul 31)
- Re: HTTP INSPECT fails on Mirror Port Anand Raj Manickam (Aug 04)