Re: Snort inline packet acquisition

[Kayvan Javid <kayvan.javid () smoothwall net>]

The only current method to capture packets with Snort in inline mode is
to use the ip_queue kernel module and setup an iptables redirect to the
the QUEUE target.

The problem being since kernel 2.6.x was released this module and packet
acquisition method has be deprecated in favor of the more flexible
nfnetlink_queue, which supports multiple queues etc.

The branched snort-inline project has had support for using nfqueue for
years, why, even when Sourcefire integrated the inline functionality
from this branch, has support for this not been added?

Furthermore, even in Snort 3 beta, the current DAQs do not allow for
inline mode to operate on a single nic like Snort 2 currently does, as
it only supports pcap, from file or afpacket, which can only operate
over a bridge.

What options do I have if I do not want to use a deprecated module
ip_queue to get the inline functionality?

Thanks Kave

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel