Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question for the Guru's

From: John Liss <john () lissproductions com>
Date: Wed, 16 Nov 2011 16:02:40 -0700
<snip>

Yes Snort does the bridging.
You do not create a bridge as daq does that for you. I simply (after
asking the same question) added this into snort.conf:

config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline
config daq_var: buffer_size_mb=256
Where you spec eth0:eth1 ( or whatever) can be distro specific.

I would imagine using NFQ would offer more control via iptables but have
yet to push down that road. Af-packet works well.

-Bill

Thanks Bill!  I'm off in the right direction!
-John


Thanks again Bill for the boot in the right direction!
Ubuntu 10.04 LTS is working great with 2.9.1.2 using afpacket.

Drops packets wonderfully where told to do so : ]]
I guess someone needs (possibly me) to toss something to the 
snort-team () sourcefire com for a inline config doc.

-John


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: