Home page logo
/

snort logo Snort mailing list archives

Re: No bridging support with Daq?
From: NA <dustypath () comcast net>
Date: Thu, 16 Dec 2010 13:30:59 -0800

With /usr/bin/snort --daq-dir /usr/lib64/daq --daq-mode inline --daq 
afpacket -i eth0:eth1

This started, but ignored afpacket, I assume because the bridge needs to 
go away. I am not however following the statement that afpacket will 
take care of the bridge, begging the question, how do I set up the 
interfaces? I would appreciate more documentation on DAQ.

OUTPUT:
Running in packet dump mode
<snip>

I have read the DAQ and Snort DAQ tarballs and can not get the interface 
loaded the via snort.conf, probably missing something, confusing passing 
the interface to DAQ with the interface Snort needs to listen on..one 
and the same though? I have not looked/changed much in snort.conf yet.
I will try "config interface: eth0:eth1" again with the bridge deleted 
but would appreciate any further comments.
Thanks



On 12/16/10 12:53 PM, Russ Combs wrote:


On Thu, Dec 16, 2010 at 3:44 PM, Jason Wallace 
<jason.r.wallace () gmail com <mailto:jason.r.wallace () gmail com>> wrote:

    On Thu, Dec 16, 2010 at 3:37 PM, Russ Combs <rcombs () sourcefire com
    <mailto:rcombs () sourcefire com>> wrote:
    >
    >
    > On Thu, Dec 16, 2010 at 3:30 PM, Jason Wallace
    <jason.r.wallace () gmail com <mailto:jason.r.wallace () gmail com>>
    > wrote:
    >>
    >> The issue with Gentoo and the IPQ and NFQ DAQs is that the current
    >> ebuild for libdnet does not compile with PIC so we get relocation
    >> errors when we try to build those DAQs. We need to get the libdnet
    >> package maintainer to roll a package with the PIC USE flag before I
    >> can add IPQ and NFQ support to the DAQ ebuild.
    >>
    >> If you use afpacket you shouldn't need to bridge should you? Isn't
    >> that the point of assigning interface pairs?
    >>
    >> ./snort --daq afpacket -i eth0:eth1
    >>
    >> Rather than...
    >>
    >> ./snort --daq afpacket -i bond0
    >
    > Correct.  config daq_var: device=eth1:eth0 is not correct.
    >

    Did you mean is correct?


Yes - what Wally wrote is correct.  Specifcially:

 ./snort --daq afpacket -i eth0:eth1

should work.


    > NA please check the DAQ tarball README.
    >
    > You can run as shown above or with config interface: eth0:eth1.
    >
    > The afpacket DAQ takes care of the bridging.
    >


snip

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault