Home page logo
/

snort logo Snort mailing list archives

Re: pcap DAQ does not support inline
From: Y M <snort () outlook com>
Date: Wed, 24 Apr 2013 19:15:39 +0300

eth0 and eth1 will be used by Snort only to pass traffic inline.

The third interface I mentioned earlier; eth2 will be used for management. In this case you will not be interfering 
with the traffic.
________________________________
From: Joao Daniel Neves<mailto:joaodanielnevesss () hotmail com>
Sent: ‎4/‎24/‎2013 6:56 PM
To: Y M<mailto:snort () outlook com>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: RE: [Snort-users] pcap DAQ does not support inline

YM,

But if this pair of interfaces are being used to normal traffic. Example:

/usr/local/bin/snort  —daq afpacket -Q -c /etc/snort/snort.conf -i eth0:eth1

if a database is listening on interface eth1, I cant acess this database. I cant acess anything listening on eth0 and 
eth1.

Will I need and a pair of 'idle' interfaces?



To: joaodanielnevesss () hotmail com
CC: snort-users () lists sourceforge net
From: snort () outlook com
Subject: RE: [Snort-users] pcap DAQ does not support inline
Date: Wed, 24 Apr 2013 17:20:00 +0300







The two interfaces will be used by Snort, you will need a third interface for management, i.e.: ssh, database, etc.



Also don't forget to set the daq mode, look for --daq-mode



I haven't used ipfw, so i can't add on that.



Please, when you reply, reply to the entire list, everybody benefits :)



From:
Joao Daniel Neves

Sent:
‎4/‎24/‎2013 4:28 PM

To:
Y M

Subject:
RE: [Snort-users] pcap DAQ does not support inline






HI,



YM,



/usr/local/bin/snort  —daq afpacket -Q -c /etc/snort/snort.conf -i eth0:eth1



I'm using this line to start snort. As I searched afpacket need two interfaces:



"In order
 to have an inline deployment you need at least one pair of interfaces
 for the traffic to flow through. To that end, you need to specify
 a second interface for AFPacket to use to complete the bridge."



But for some reason when I used two interfaces things got weired. I lost SSH acess to snort. I think that the reason is 
because the traffic flow through one interface to another. Do you have some clues about this issue ?




My avaliable daq modules are



pcap(v3): readback live multi unpriv

ipfw(v2): live inline multi unpriv

dump(v1): readback live inline multi unpriv

afpacket(v4): live inline multi unpriv



With module can I use to enable in line module without needing to specify two interfaces?

I think that it would be ipfw, but as far as I know ipfw is for bsd and I'm not using bsd.







To: joaodanielnevesss () hotmail com; snort-users () lists sourceforge net

From: snort () outlook com

Subject: RE: [Snort-users] pcap DAQ does not support inline

Date: Mon, 22 Apr 2013 18:56:45 +0300




pcap does not support inline mode, it is meant for passive mode only. Instead, use afpacket for inline mode.



To make sure it is installed, run Snort as



snort --daq-list



This will return a list of the installed daq modules.



From:
Joao Daniel Neves

Sent:
‎4/‎22/‎2013 6:47 PM

To:
snort-users () lists sourceforge net

Subject:
[Snort-users] pcap DAQ does not support inline






Hi,



I'm getting this error when running Snort in inline mode "ERROR: pcap DAQ does not support inline". I have searched on 
Google, but did not get any thing usefull. The point is I don't even know why this happening.




What do you suggest ?



Some informations for debugging:



My daq dir is /usr/local/lib/daq



ls /usr/local/lib/daq

daq_afpacket.la

daq_afpacket.so

daq_dump.la

daq_dump.so

daq_ipfw.la

daq_ipfw.so

daq_pcap.la

daq_pcap.so



I tryed to start Snort with



/usr/local/bin/snort -Q -i eth1 --daq-dir /usr/local/lib/daq/ -c /etc/snort/snort.conf

/usr/local/bin/snort -Q -de *--daq nfq* --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf

/usr/local/bin/snort  —daq pcap -Q -c /etc/snort/snort.conf -i eth0:eth1

/usr/local/bin/snort -Q -c /etc/snort/snort.conf -i eth0:eth1



None of them worked.



Some more informations



/usr/lib/libpcap.a

/usr/lib/libpcap.so

/usr/lib/libpcap.so.0

/usr/lib/libpcap.so.0.9

/usr/lib/libpcap.so.0.9.4

/usr/lib/libpcap.so.1

/usr/lib/libpcap.so.1.3.0

/usr/lib64/libpcap.so.0

/usr/lib64/libpcap.so.0.9

/usr/lib64/libpcap.so.0.9.4

/usr/local/lib/libpcap.a

/usr/local/lib/libpcap.so

/usr/local/lib/libpcap.so.1

/usr/local/lib/libpcap.so.1.3.0

/usr/local/lib/daq/daq_pcap.la

/usr/local/lib/daq/daq_pcap.so



Maybe those multiple versions of pcap are causing the error ?





------------------------------------------------------------------------------ Precog is a next-generation analytics 
platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a 
phenomenal toolset for data
 science. Developers can use our toolset for easy data analysis & visualization. Get a free account! 
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
 Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault