Snort mailing list archives

Re: PF_RING and DNA with Snort

From: Tim Covel <tcovel () metaflows com>
Date: Wed, 14 Aug 2013 13:26:21 -0700

It looks like in newer versions of PF_RING you have to specify multiple 
clusterid values when using inline mode:

pfring-daq-module/README.1st suggests: "--daq-var clusterid=10,11" in 
the IPS example.

and also explains the clusterid var as:
"--daq-var clusterid=<comma separated id list>
where an id is a number (i.e. the clusterId), one for each interface."

It also looks like you are not currently using DNA interfaces, you need 
to make sure to load the correct driver (PF_RING/drivers/DNA/<driver 
version>) and start snort using the DNA interfaces the driver creates if 
you want to use DNA.

-Tim

On 08/14/2013 12:18 PM, Avery Rozar wrote:

Is there an up to date example of using pfring, and dan with Snort?

I used the metaflows example, and am running into issues when trying to run snort

Using this I get an error
snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir /usr/local/lib/daq --daq pfring --daq-var 
clusterid=10 --daq-mode inline –Q

pfring DAQ configured to inline.
eth0 <-> eth1
ERROR: Can't initialize DAQ pfring (-1) - pfring_daq_initialize: not enough cluster ids (1)

Fatal Error, Quitting..


And using this I get an error
snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir /usr/local/lib/daq --daq pfring --daq-mode inline 
–Q

pfring DAQ configured to inline.
eth0 <-> eth1
ERROR: Can't initialize DAQ pfring (-1) -
Fatal Error, Quitting..


Any help would be great!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

PF_RING and DNA with Snort Avery Rozar (Aug 14)
- Re: PF_RING and DNA with Snort Tim Covel (Aug 14)
  - Re: PF_RING and DNA with Snort Avery Rozar (Aug 15)
    - Re: PF_RING and DNA with Snort Tim Covel (Aug 15)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 15)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
    - Re: PF_RING and DNA with Snort Scott Finlon (Aug 16)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
    - Message not available
    - Re: PF_RING and DNA with Snort Y M (Aug 16)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)
    - Re: PF_RING and DNA with Snort Avery Rozar (Aug 16)