Snort mailing list archives
Re: Trouble Enabling Snort for IPv4 & IPv6 Simultaneously Using NFQ
From: Russ <rucombs () cisco com>
Date: Mon, 26 Oct 2015 15:31:31 -0400
As far as I know, NFQ does not support both simultaneously. Furthermore, the DAQ passes on the packet it gets to Snort unmodified, which is an IP4 or IP6 datagram w/o encapsulation, so Snort knows which only by the DLT, which does not change per packet.
On 10/26/15 2:48 PM, Daniel Ayoub wrote:
Hi!I've been trying to get a single instance of Snort to work with NFQ daq for both IPv4 and IPv6 traffic simultaneously for the last few days but am having trouble getting it to work. I'm running Snort 2.9.7.6 and DAQ 2.0.6 - snort has been compiled with --enable-ipv6 flag set. According to documentation it looks this should be possible by specifying the 'ip*' protocol within the NFQ daq-variables.Not sure if this is a known bug, system limitation, or error in documentation but would very much appreciate some input on this.Is it possible to use a single instance of Snort to monitor IPv4 and IPv6 traffic simultaneously while using NFQ DAQ?I understand that I can run an instance with for each mode separately; that works but is not ideal.Here's manual entry for the feature I'm trying to use... 1.5.4 NFQ NFQ is the new and improved way to process iptables packets: ./snort --daq nfq \ [--daq-var device=<dev>] \ [--daq-var proto=<proto>] \ [--daq-var queue=<qid>] \ [--daq-var queue_len=<qlen>] <dev> ::= ip | eth0, etc; default is IP injection <proto> ::= ip4 | ip6 | ip*; default is ip4 <qid> ::= 0..65535; default is 0 <qlen> ::= 0..65535; default is 0 Here's part of the config I'm trying to use.. config daq: nfq config daq_dir: /usr/lib/daq/ config daq_mode: inline config daq_var: queue=11 config daq_var: proto=ip* Here's the output I receive when trying to test the config... nfq DAQ configured to inline. ERROR: Can't initialize DAQ nfq (-1) - nfq_daq_get_setup: bad proto (ip*) Fatal Error, Quitting..When I searched for nfq_daq_get_setup function, I found it in DAQ source file/daq-2.0.6/os-daq-modules/daq_nfq.cHowever, it appears support for this capability was commented out with a note...static int nfq_daq_get_protos (const char* s) { if ( !s || !strncasecmp(s, "ip4", 3) ) return 0x1; if ( !strncasecmp(s, "ip6", 3) ) return 0x2; #if 0 // doesn't look like both can be handled simultaneously if ( !strncasecmp(s, "ip*", 3) ) return 0x3; #endif return 0; }Based on the comment it seems to be a known issue however the comment conflicts with the documentation so I'm unsure if this is a bug or what. Is there a way to make this work? Any idea how to implement this capability using a work-around?Thanks, Daniel ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Trouble Enabling Snort for IPv4 & IPv6 Simultaneously Using NFQ Daniel Ayoub (Oct 26)
- Re: Trouble Enabling Snort for IPv4 & IPv6 Simultaneously Using NFQ Russ (Oct 26)