Snort mailing list archives
Re: Snort inline
From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 7 Mar 2019 18:34:19 +0000
Hello, See the readme file that comes with the daq download for complete details… AFPACKET Module =============== afpacket functions similar to the pcap DAQ but with better performance: ./snort --daq afpacket -i <device> [--daq-var buffer_size_mb=<#MB>] [--daq-var debug] If you want to run afpacket in inline mode, you must craft the device string as one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon like this: eth0:eth1 or this: eth0:eth1::eth2:eth3 By default, the afpacket DAQ allocates 128MB for packet memory. You can change this with: --daq-var buffer_size_mb=<#MB> Note that the total allocated is actually higher, here's why. Assuming the default packet memory with a snaplen of 1518, the numbers break down like this: * The frame size is 1518 (snaplen) + the size of the AFPacket header (66 bytes) = 1584 bytes. * The number of frames is 128 MB / 1518 = 84733. * The smallest block size that can fit at least one frame is 4 KB = 4096 bytes @ 2 frames per block. * As a result, we need 84733 / 2 = 42366 blocks. * Actual memory allocated is 42366 * 4 KB = 165.5 MB. NOTE: Linux kernel version 2.6.31 or higher is required for the AFPacket DAQ module due to its dependency on both TPACKET v2 and PACKET_TX_RING support. Thanks. Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org> on behalf of Lucero Guerrero Flores <lucero.guerrero () ipicyt edu mx> Date: Thursday, March 7, 2019 at 12:56 PM To: "snort-users () lists snort org" <snort-users () lists snort org> Subject: [Snort-users] Snort inline Dear. Could you help me know how to configure snort ids to snort inline with daq af_packets? I have installed Snort 3 on Ubuntu server 18.04. Thank you. -- -- TSU. Lucero Guerrero Flores Analista de seguridad informática Instituto Potosino de Investigación Científica y Tecnológica, A.C. Camino a la Presa San José 2055, Lomas 4a. secc. Ext.2716 Cel. (444)1206676 [Resultado de imagen para imagen de cns-ipicyt] www.cns-ipicyt.mx<http://www.cns-ipicyt.mx/>
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort inline Lucero Guerrero Flores (Mar 07)
- Re: Snort inline Al Lewis (allewi) via Snort-users (Mar 07)