Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort in IPS mode

From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 17 May 2011 09:56:12 -0500
I'm not running 11.4 but try this. Afterwards  you need to try and
rebuild daq and make sure it builds with nfq support.

sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1
libnfnetlink-dev libnfnetlink0

Regards,

Will
On Tue, May 17, 2011 at 9:43 AM, turki <turki_00 () yahoo com> wrote:


Hi Jason,

as far as i understand from your (and Michael) comments, I did the following:

snort --daq nfq -Q -c snort.conf

I received the following error:
ERROR: Can't find nfq DAQ!
Fatal Error, Quitting..

- Is there any modification I need to do in the snort.conf file ?
- do i have to compile snort in inline mode first?
- do I have to set the iptables before i ran snort in inline mode?


My goal is to run Snort in inline mode with a single interface eth0


I appoligize if I am asking too many b
Is there any beginners tutorial regarding snort inline mode as I just jumped in into the snort IPS mode without any 
background.

Thank you,

daq-0.5
ubuntu 11.4
Snort 2.9.0.5



--- On Mon, 5/16/11, Will Metcalf <william.metcalf () gmail com> wrote:

From: Will Metcalf <william.metcalf () gmail com>
Subject: Re: [Snort-users] Snort in IPS mode
To: "turki" <turki_00 () yahoo com>
Cc: "Jason Brvenik" <jbrvenik () sourcefire com>, snort-users () lists sourceforge net
Received: Monday, May 16, 2011, 4:14 PM

You should be able to do this very easily with NFQ as Michael suggested.  See the README included with daq.  One 
thing to note afaik the example uses the FORWARD, if you are using on local host you need something like the 
following if you want to look at port 80 traffic bound for your webserver.

iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j NFQUEUE
iptables -I OUTPUT -p tcp --sport 80 -j NFQUEUE

Regards,

Will

On Mon, May 16, 2011 at 1:46 PM, turki <turki_00 () yahoo com> wrote:

Jason,

No, it didn't work :(

After creating an alias interface eth0:0

and running the command:

snort -Q --daq afpacket -i eth0:eth0:0 -c snort.conf

I got the error msg:

ERROR: Can't initialize DAQ afpacket (-1) - afpacket_daq_initialize: Couldn't create the bridge between eth0 and eth0!
Fatal Error, Quitting..


Thank you for the help

--- On Mon, 5/16/11, Jason Brvenik <jbrvenik () sourcefire com> wrote:

From: Jason Brvenik <jbrvenik () sourcefire com>
Subject: Re: [Snort-users] Snort in IPS mode
To: "turki" <turki_00 () yahoo com>
Cc: snort-users () lists sourceforge net, "Michael Altizer" <maltizer () sourcefire com>
Received: Monday, May 16, 2011, 3:29 PM

Just create an aliased interface to eth0

On May 16, 2011 2:15 PM, "turki" <turki_00 () yahoo com> wrote:

The reason behind my single interface approach is that I want to run Snort (inline mode) in Amazon cloud and I was 
stopped by the fact that they only allow 1 interface for every running virtual machine instance in EC2.

Thank you Michael for sharing your knowledge.



--- On Mon, 5/16/11, Michael Altizer <maltizer () sourcefire com> wrote:

From: Michael Altizer <maltizer () sourcefire com>
Subject: Re: [Snort-users] Snort in IPS mode
To: snort-users () lists sourceforge net
Received: Monday, May 16, 2011, 9:53 PM






This is not possible with the current AFPacket DAQ module since I
never really thought to do that, but it could be modified to do so
(check if an instance for that interface already exists when opening
each interface and reuse it instead of trying to reopen and
failing).  You may be able to do something like that with IPTables
and the NFQ DAQ module, but I couldn't say for sure.



On 05/16/2011 09:42 AM, turki wrote:




What if I only have
single interface card "eth0" ?

can I redirect/pair the traffic to itself (i know it is
kind of silly statement)

something like this:



snort -Q --daq afpacket -i eth0:eth0 -c snort.conf



--- On Mon, 5/16/11, Michael Altizer <xiche () verizon net>
wrote:



From: Michael Altizer <xiche () verizon net>

Subject: Re: [Snort-users] Snort in IPS mode

To: snort-users () lists sourceforge net

Received: Monday, May 16, 2011, 6:27 AM



On 05/15/2011 08:09 PM, turki
wrote:




Hi,

I am new to snort, so i need help here.



I am trying to run snort in inline mode with
the following command:

snort -Q --daq afpacket -i eth0 -c
snort.conf



but snort initialization keeps failing with
error message:



afpacket DAQ configured to inline.

ERROR: Can't initialize DAQ afpacket (-1) -
afpacket_daq_initialize: Invalid interface
specification: 'eth0'!

Fatal Error, Quitting..






In order to have an inline deployment you need at
least one pair of interfaces for the traffic to flow
through.  To that end, you need to specify a second
interface for AFPacket to use to complete the bridge.



For example:

snort -Q --daq afpacket -i eth0:eth1 -c snort.conf



or (two inline pairs):



snort -Q --daq afpacket -i eth0:eth1::eth2:eth3 -c
snort.conf














-----Inline Attachment Follows-----

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
-----Inline Attachment Follows-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: