Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: listing daq-vars and confirming the cluster type of pfring

From: Michael Altizer <xiche () verizon net>
Date: Mon, 29 May 2017 13:45:11 -0400
First of all, DAQ variables will never directly affect or configure Snort, they are purely a construct of the DAQ module being used. In the current version of libDAQ there is no way to query a DAQ module for variables that it supports, so the best you can do is either look at the source or the documentation for the particular module to determine which variables may be set and the effect of doing so. As you probably know, to pass a DAQ variable through Snort to the DAQ module, use the --daq-var command line option in the form of "variable_name" (to define the variable with a null value) or "variable_name=value" (to define the variable with a value). If you really want to confirm anything that a particular DAQ module is doing, you will need to at least examine the code and potentially add some debug logging and recompile to be absolutely sure. 

On 05/12/2017 09:25 AM, Charlie Dyer wrote:

Hello list

Could someone tell me if there is a way of listing all the variables you
can pass to the daq-vars option?
I've tried looking in various header files but can't find anything.
The reason I ask is to confirm what type of clustering pf_ring is using and
whether you can tell it to use one type or the other. As I understand it
from reading the pfring code, the type is either round-robin (the default)
or flow-5-tuple, how can I tell snort/pfring/daq to use flow-5-tuple?
It would be good to understand what all the daq-var variable are and what
they do/how they affect snort.

Many thanks in advance

Charles



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: