Re: PF_RING and DNA with Snort

[Avery Rozar <Avery.Rozar () i-techsupport com>]

Thanks Tim.

Do you know if its still necessary to install daq 2.0.1, or should I just
used the daq install from "PF_RING/userland/snort/pfring-daq-module/"?

Thanks.

On 8/14/13 4:26 PM, "Tim Covel" <tcovel () metaflows com> wrote:

> It looks like in newer versions of PF_RING you have to specify multiple
> clusterid values when using inline mode:
>
> pfring-daq-module/README.1st suggests: "--daq-var clusterid=10,11" in
> the IPS example.
>
> and also explains the clusterid var as:
> "--daq-var clusterid=<comma separated id list>
> where an id is a number (i.e. the clusterId), one for each interface."
>
> It also looks like you are not currently using DNA interfaces, you need
> to make sure to load the correct driver (PF_RING/drivers/DNA/<driver
> version>) and start snort using the DNA interfaces the driver creates if
> you want to use DNA.
>
> -Tim
>
> On 08/14/2013 12:18 PM, Avery Rozar wrote:
> > Is there an up to date example of using pfring, and dan with Snort?
> >
> > I used the metaflows example, and am running into issues when trying to
> > run snort
> >
> > Using this I get an error
> > snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir
> > /usr/local/lib/daq --daq pfring --daq-var clusterid=10 --daq-mode inline
> > ­Q
> >
> > pfring DAQ configured to inline.
> > eth0 <-> eth1
> > ERROR: Can't initialize DAQ pfring (-1) - pfring_daq_initialize: not
> > enough cluster ids (1)
> >
> > Fatal Error, Quitting..
> >
> >
> > And using this I get an error
> > snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir
> > /usr/local/lib/daq --daq pfring --daq-mode inline ­Q
> >
> > pfring DAQ configured to inline.
> > eth0 <-> eth1
> > ERROR: Can't initialize DAQ pfring (-1) -
> > Fatal Error, Quitting..
> >
> >
> > Any help would be great!
> >
> >
> > -------------------------------------------------------------------------
> > -----
> > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > It's a free troubleshooting tool designed for production.
> > Get down to code-level detail for bottlenecks, with <2% overhead.
> > Download for free and get started troubleshooting in minutes.
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clkt
> > rk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
> --------------------------------------------------------------------------
> ----
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktr
> k
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!