Snort mailing list archives

Re: Question for the Guru's

From: NA <dustypath () comcast net>
Date: Mon, 14 Nov 2011 11:07:24 -0800

On 11/14/11 10:42 AM, John Liss wrote:

On 11/14/2011 11:17 AM, carlopmart wrote:

<snip>

See daq docs about af-packet and nfq ...

If I may jump in here to forward the conversation, does anyone have an
opinion of which is better in-line, af-packet or nfq?
I am currently running Snort inline using af-packet (using Gentoo) and
NFQ was not originally available in the 2.9.x.x version.
-Bill

Inline is a dead line ... To work with snort as an IPS you need to use
af-packet or nfq. Better?? Depends on your needs, your network topology
and your experience with snort.

Thanks for the reply guys!
Sounds like daq with af-packet makes a good test case for us.

Is there a good faq on which is better for af-packet or nfq?

Question:   using snort -D -daq afpacket -Q -c snort.conf -i eth1:eth2
Is snort doing the bridging using eth1:eth2 or do I still have to 
configure iptables to complete the bridge.  Reading the DAQ docs I'm 
still confused.

-John



Yes Snort does the bridging.
You do not create a bridge as daq does that for you. I simply (after
asking the same question) added this into snort.conf:

config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline
config daq_var: buffer_size_mb=256
Where you spec eth0:eth1 ( or whatever) can be distro specific.

I would imagine using NFQ would offer more control via iptables but have
yet to push down that road. Af-packet works well.

-Bill

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Question for the Guru's John Liss (Nov 14)
- Re: Question for the Guru's Joel Esler (Nov 14)
- Re: Question for the Guru's carlopmart (Nov 14)
  - Re: Question for the Guru's NA (Nov 14)
    - Re: Question for the Guru's carlopmart (Nov 14)
    - Re: Question for the Guru's John Liss (Nov 14)
    - Re: Question for the Guru's NA (Nov 14)
    - Re: Question for the Guru's John Liss (Nov 14)
    - Re: Question for the Guru's John Liss (Nov 16)
    - Re: Question for the Guru's Joel Esler (Nov 17)