Snort mailing list archives
Re: pcap DAQ does not support inline
From: Joao Daniel Neves <joaodanielnevesss () hotmail com>
Date: Wed, 24 Apr 2013 22:47:12 +0300
maltizer,
Thank you so much! It was very enlightening.
All inline modes needs a pair of interfaces? What would you suggest on this scenario ?
Date: Wed, 24 Apr 2013 15:36:09 -0400
From: maltizer () sourcefire com
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] pcap DAQ does not support inline
You will not be able to use the
AFPacket DAQ module in that scenario. The AFPacket DAQ module
manually forwards packets completely unmodified back and forth
across an interface pair (or pairs) when it is in inline mode
(unless Snort modifies the packet). This means there will be no
routing decisions, MAC address updates, or TTL drecrements
involved. Also, if you're actively having the OS do the routing
(or bridging), you will end up with duplicate packets being
generated by the box. AFPacket operates on copies of packets
received on a given interface, and may then send out a packet
based on that copy in inline mode if the packet was not dropped,
all of which happens in parallel with any other processing the OS
is doing with the original packet.
On 04/24/2013 03:11 PM, Joao Daniel Neves wrote:
YM
I'm a bit ashamed. What I cant understand is
if I'm running Snort in a router and eth0 and eth1 are been used
to route packages, I will not be able to use Snort inline mode
with this scenario?
I tried (on a test enviroment) and it doesn't seems to work.
I think I may be doing something wrong.
To: joaodanielnevesss () hotmail com
CC: snort-users () lists sourceforge net
From: snort () outlook com
Subject: RE: [Snort-users] pcap DAQ does not support inline
Date: Wed, 24 Apr 2013 19:15:39 +0300
eth0
and eth1 will be used by Snort only to pass traffic
inline.
The third interface I mentioned earlier; eth2 will be used
for management. In this case you will not be interfering
with the traffic.
From:
Joao Daniel
Neves
Sent:
4/24/2013
6:56 PM
To:
Y
M
Cc:
snort-users () lists sourceforge net
Subject:
RE:
[Snort-users] pcap DAQ does not support inline
YM,
But if this pair of interfaces are being used to normal
traffic. Example:
/usr/local/bin/snort —daq afpacket -Q -c
/etc/snort/snort.conf -i eth0:eth1
if a database is listening on interface eth1, I cant acess
this database. I cant acess anything listening on eth0 and
eth1.
Will I need and a pair of 'idle' interfaces?
To: joaodanielnevesss () hotmail com
CC: snort-users () lists sourceforge net
From: snort () outlook com
Subject: RE: [Snort-users] pcap DAQ does not support
inline
Date: Wed, 24 Apr 2013 17:20:00 +0300
The
two interfaces will be used by Snort, you will need
a third interface for management, i.e.: ssh,
database, etc.
Also don't forget to set the daq mode, look for
--daq-mode
I haven't used ipfw, so i can't add on that.
Please, when you reply, reply to the entire list,
everybody benefits :)
From:
Joao
Daniel Neves
Sent:
4/24/2013
4:28 PM
To:
Y M
Subject:
RE:
[Snort-users] pcap DAQ does not support inline
HI,
YM,
/usr/local/bin/snort —daq afpacket -Q -c
/etc/snort/snort.conf -i eth0:eth1
I'm using this line to start snort. As I searched
afpacket need two interfaces:
"In
order to have an inline deployment you need at
least one pair of interfaces
for the traffic to flow through. To that end,
you need to specify
a second interface for AFPacket to use to
complete the bridge."
But for some reason when I used two interfaces
things got weired. I lost SSH acess to snort. I
think that the reason is because the traffic flow
through one interface to another. Do you have some
clues about this issue ?
My avaliable daq modules are
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
With module can I use to enable in line module
without needing to specify two interfaces?
I think that it would be ipfw, but as far as I know
ipfw is for bsd and I'm not using bsd.
To: joaodanielnevesss () hotmail com;
snort-users () lists sourceforge net
From: snort () outlook com
Subject: RE: [Snort-users] pcap DAQ does not
support inline
Date: Mon, 22 Apr 2013 18:56:45 +0300
pcap
does not support inline mode, it is meant for
passive mode only. Instead, use afpacket for
inline mode.
To make sure it is installed, run Snort as
snort --daq-list
This will return a list of the installed daq
modules.
From:
Joao
Daniel Neves
Sent:
4/22/2013
6:47 PM
To:
snort-users () lists sourceforge net
Subject:
[Snort-users]
pcap DAQ does not support inline
Hi,
I'm getting this error when running Snort in
inline mode "ERROR: pcap DAQ does not support
inline". I have searched on Google, but did
not get any thing usefull. The point is I
don't even know why this happening.
What do you suggest ?
Some informations for debugging:
My
daq dir is /usr/local/lib/daq
ls /usr/local/lib/daq
daq_afpacket.la
daq_afpacket.so
daq_dump.la
daq_dump.so
daq_ipfw.la
daq_ipfw.so
daq_pcap.la
daq_pcap.so
I tryed to start Snort with
/usr/local/bin/snort -Q -i eth1 --daq-dir
/usr/local/lib/daq/ -c
/etc/snort/snort.conf
/usr/local/bin/snort -Q -de *--daq nfq*
--daq-dir /usr/local/lib/daq -c
/etc/snort/snort.conf
/usr/local/bin/snort —daq pcap -Q -c
/etc/snort/snort.conf -i eth0:eth1
/usr/local/bin/snort -Q -c
/etc/snort/snort.conf -i eth0:eth1
None of them worked.
Some more informations
/usr/lib/libpcap.a
/usr/lib/libpcap.so
/usr/lib/libpcap.so.0
/usr/lib/libpcap.so.0.9
/usr/lib/libpcap.so.0.9.4
/usr/lib/libpcap.so.1
/usr/lib/libpcap.so.1.3.0
/usr/lib64/libpcap.so.0
/usr/lib64/libpcap.so.0.9
/usr/lib64/libpcap.so.0.9.4
/usr/local/lib/libpcap.a
/usr/local/lib/libpcap.so
/usr/local/lib/libpcap.so.1
/usr/local/lib/libpcap.so.1.3.0
/usr/local/lib/daq/daq_pcap.la
/usr/local/lib/daq/daq_pcap.so
Maybe those multiple versions of pcap are
causing the error ?
------------------------------------------------------------------------------
Precog is a next-generation analytics platform
capable of advanced analytics on semi-structured
data. The platform includes APIs for building apps
and a phenomenal toolset for data science.
Developers can use our toolset for easy data
analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net Go to this URL
to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current
on all the latest Snort news!
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- pcap DAQ does not support inline Joao Daniel Neves (Apr 22)
- <Possible follow-ups>
- Re: pcap DAQ does not support inline Y M (Apr 22)
- Re: pcap DAQ does not support inline Y M (Apr 24)
- Re: pcap DAQ does not support inline Joao Daniel Neves (Apr 24)
- Re: pcap DAQ does not support inline Y M (Apr 24)
- Re: pcap DAQ does not support inline Joao Daniel Neves (Apr 24)
- Re: pcap DAQ does not support inline Michael Altizer (Apr 24)
- Re: pcap DAQ does not support inline Joao Daniel Neves (Apr 24)
- Re: pcap DAQ does not support inline Michael Altizer (Apr 25)
- Re: pcap DAQ does not support inline Joao Daniel Neves (Apr 24)