Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DAQ 2.0.2, NFQ - DAQ error when trying to start snort

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Sat, 4 Oct 2014 20:00:25 +0000

________________________________
From: Peter Fyon [peter.fyon () gmail com]
Sent: Saturday, October 04, 2014 10:42 AM
To: Hui Cao (huica)
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] DAQ 2.0.2, NFQ - DAQ error when trying to start snort

Thanks Hui,

I removed the -i eth0 from my snort command line options and it started without the warning. Not quite sure why the DAQ 
fails to load if you specify an interface for snort since, as I found by commenting out that chunk of code, it looks 
like the DAQ options override the snort ones.

* The NFQ DAQ gets packets via iptables, not directly from an interface.  Snort could just ignore the -i option in that 
case, but it errs on the side of letting you know when something fundamentally won't work as configured.

Peter

On Tue, Sep 30, 2014 at 2:52 PM, Hui Cao (huica) <huica () cisco com<mailto:huica () cisco com>> wrote:
Hi Peter,

The code is to check whether you have configured the interface.  NFQ will not allow interface. So I guess you have 
specified interface in your configuration.

Best,
Hui.

From: Peter Fyon <peter.fyon () gmail com<mailto:peter.fyon () gmail com>>
Date: Sunday, September 28, 2014 at 3:09 PM
To: "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] DAQ 2.0.2, NFQ - DAQ error when trying to start snort

Hi Snort-devel,

While trying to enable active defense on my snort setup (single interface on a SPAN port), I ran into this error:

The nfq DAQ module does not support interface or readback mode!

My C's a bit rusty, but looking at the code (see diff at the bottom) it seems like it just checks to see if the 
DAQ_Config_t name is set and fails out if so. I can't see the commit log so I don't know why this block of code was 
added, but everything works fine after commenting it out and recompiling. Did I just work around something that I 
shouldn't have?

daq_nfq.c
200,204c200,204
<     if(cfg->name && *(cfg->name))
<     {
<         snprintf(errBuf, errMax, "The nfq DAQ module does not support interface or readback mode!");
<         return DAQ_ERROR_INVAL;
<     }
---

//    if(cfg->name && *(cfg->name))
//    {
//        snprintf(errBuf, errMax, "The nfq DAQ module does not support interface or readback mode!");
//        return DAQ_ERROR_INVAL;
//    }



Peter


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: