Re: PF_RING and DNA with Snort

[Avery Rozar <Avery.Rozar () i-techsupport com>]

Yea I did see that this morning as I read the prerequisites. Thanks for
your help, I did get pf_ring working properly. Now I just think I'm having
issues with the Silicom card, I'm not passing traffic..


On 8/15/13 1:41 PM, "Tim Covel" <tcovel () metaflows com> wrote:

> I'm pretty sure you still need the normal daq installed, it's listed as
> prerequisite for the pfring-daq-module. Also the normal daq install
> provides other modules, such as afpacket, which can be really useful in
> testing.
>
> -Tim
>
> On 08/15/2013 04:12 AM, Avery Rozar wrote:
> > Thanks Tim.
> >
> > Do you know if its still necessary to install daq 2.0.1, or should I
> > just
> > used the daq install from "PF_RING/userland/snort/pfring-daq-module/"?
> >
> > Thanks.
> >
> > On 8/14/13 4:26 PM, "Tim Covel" <tcovel () metaflows com> wrote:
> >
> > > It looks like in newer versions of PF_RING you have to specify multiple
> > > clusterid values when using inline mode:
> > >
> > > pfring-daq-module/README.1st suggests: "--daq-var clusterid=10,11" in
> > > the IPS example.
> > >
> > > and also explains the clusterid var as:
> > > "--daq-var clusterid=<comma separated id list>
> > > where an id is a number (i.e. the clusterId), one for each interface."
> > >
> > > It also looks like you are not currently using DNA interfaces, you need
> > > to make sure to load the correct driver (PF_RING/drivers/DNA/<driver
> > > version>) and start snort using the DNA interfaces the driver creates
> > > if
> > > you want to use DNA.
> > >
> > > -Tim
> > >
> > > On 08/14/2013 12:18 PM, Avery Rozar wrote:
> > > > Is there an up to date example of using pfring, and dan with Snort?
> > > >
> > > > I used the metaflows example, and am running into issues when trying
> > > > to
> > > > run snort
> > > >
> > > > Using this I get an error
> > > > snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir
> > > > /usr/local/lib/daq --daq pfring --daq-var clusterid=10 --daq-mode
> > > > inline
> > > > ­Q
> > > >
> > > > pfring DAQ configured to inline.
> > > > eth0 <-> eth1
> > > > ERROR: Can't initialize DAQ pfring (-1) - pfring_daq_initialize: not
> > > > enough cluster ids (1)
> > > >
> > > > Fatal Error, Quitting..
> > > >
> > > >
> > > > And using this I get an error
> > > > snort -c /etc/snort/snort.conf -A console -y -i eth0:eth1 --daq-dir
> > > > /usr/local/lib/daq --daq pfring --daq-mode inline ­Q
> > > >
> > > > pfring DAQ configured to inline.
> > > > eth0 <-> eth1
> > > > ERROR: Can't initialize DAQ pfring (-1) -
> > > > Fatal Error, Quitting..
> > > >
> > > >
> > > > Any help would be great!
> > > >
> > > >
> > > >
> > > > -----------------------------------------------------------------------
> > > > --
> > > > -----
> > > > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > > > It's a free troubleshooting tool designed for production.
> > > > Get down to code-level detail for bottlenecks, with <2% overhead.
> > > > Download for free and get started troubleshooting in minutes.
> > > >
> > > >
> > > > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.cl
> > > > kt
> > > > rk
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
> > >
> > >
> > > ------------------------------------------------------------------------
> > > --
> > > ----
> > > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > > It's a free troubleshooting tool designed for production.
> > > Get down to code-level detail for bottlenecks, with <2% overhead.
> > > Download for free and get started troubleshooting in minutes.
> > >
> > > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clk
> > > tr
> > > k
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!