Snort mailing list archives
Re: Snort 2.9.6.2 inline mode problem
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 27 Aug 2014 13:20:05 -0600
On 2014-08-27 13:12, Debason Shockre wrote:
But your --daq-mode inline is the issue....that sets up the Snort controlled bridge. JamesCan you please elaborate why is it an issue, and how do you setup IPS with afpacket? Thanks.
First doc: https://github.com/vrtadmin/snort-faq/blob/master/docs/README.daq And from the daq source README: AFPACKET Module =============== afpacket functions similar to the pcap DAQ but with better performance: ./snort --daq afpacket -i <device> [--daq-var buffer_size_mb=<#MB>] [--daq-var debug] If you want to run afpacket in inline mode, you must set device to one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon like this: eth0:eth1 or this: eth0:eth1::eth2:eth3 By default, the afpacket DAQ allocates 128MB for packet memory. You can change this with: --daq-var buffer_size_mb=<#MB> Note that the total allocated is actually higher, here's why. Assuming the default packet memory with a snaplen of 1518, the numbers break down like this: * The frame size is 1518 (snaplen) + the size of the AFPacket header (66 bytes) = 1584 bytes. * The number of frames is 128 MB / 1518 = 84733. * The smallest block size that can fit at least one frame is 4 KB = 4096 bytes @ 2 frames per block. * As a result, we need 84733 / 2 = 42366 blocks. * Actual memory allocated is 42366 * 4 KB = 165.5 MB. NOTE: Linux kernel version 2.6.31 or higher is required for the AFPacket DAQ module due to its dependency on both TPACKET v2 and PACKET_TX_RING support. NFQ Module ========== NFQ is the new and improved way to process iptables packets: ./snort --daq nfq \ [--daq-var device=<dev>] \ [--daq-var proto=<proto>] \ [--daq-var queue=<qid>] <dev> ::= ip | eth0, etc; default is IP injection <proto> ::= ip4 | ip6 |; default is ip4 <qid> ::= 0..65535; default is 0 This module can not run unprivileged so ./snort -u -g will produce a warning and won't change user or group. Hey Joel, is the daq source on github by chance? James ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort 2.9.6.2 inline mode problem, (continued)
- Re: Snort 2.9.6.2 inline mode problem Y M (Aug 23)
- Message not available
- Re: Snort 2.9.6.2 inline mode problem Y M (Aug 24)
- Re: Snort 2.9.6.2 inline mode problem Debason Shockre (Aug 24)
- Re: Snort 2.9.6.2 inline mode problem Y M (Aug 24)
- Re: Snort 2.9.6.2 inline mode problem Debason Shockre (Aug 24)
- Re: Snort 2.9.6.2 inline mode problem Y M (Aug 25)
- Re: Snort 2.9.6.2 inline mode problem James Lay (Aug 27)
- Re: Snort 2.9.6.2 inline mode problem Debason Shockre (Aug 27)
- Re: Snort 2.9.6.2 inline mode problem James Lay (Aug 27)
- Re: Snort 2.9.6.2 inline mode problem Debason Shockre (Aug 27)
- Re: Snort 2.9.6.2 inline mode problem James Lay (Aug 27)
- Message not available
- Re: Snort 2.9.6.2 inline mode problem Y M (Aug 27)
- Re: Snort 2.9.6.2 inline mode problem Debason Shockre (Aug 28)
- Re: Snort 2.9.6.2 inline mode problem Y M (Aug 23)