Snort mailing list archives
Re: IPS Inline Mode
From: Matt Martin <MMartin () jwpepper com>
Date: Fri, 20 Jun 2014 16:34:17 +0000
Erdem,
I can’t answer your other questions, but I was also having issues with DAQ because when I was compiling DAQ it wasn’t
successfully building IPQ and NFQ Modules so I also saw that error. But I did finally get it compiled with the modules
I wanted. The problem was daq couldn’t find certain header/.so files in my lib dirs because I was running on 64-bit and
it was checking the standard “/usr/lib” dirs. instead of my “lib64” dirs.. I fixed it by creating symbolic links to the
.so files it was looking for in the standard “lib” dirs.
If you run the command below you should see a list of available DAQ Modules:
# snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
Hope that helps…
Thanks,
Matt
From: Erdem Çulcu [mailto:erdem () boryazilim com]
Sent: Friday, June 20, 2014 4:51 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] IPS Inline Mode
Hi,
I am new on Snort
I installed with guide and run IDS mode.
I have two problems.
Firstly, Snort handle only host machine packets. I write some rules example:
alert tcp any any -> any any (content:"www.facebook.com<http://www.facebook.com>";msg:"Facebook Accessing";sid:1000001;)
This rule works only machine which installed Snort. Other machines accesses are not handled.
Other problem is Inline Mode.
I run with this command
snort --daq nfq -Q -c /etc/snort/snort.conf --daq-dir /usr/local/lib/daq --daq-var device=eth0 -i eth0
Snort gives this error
ERROR: Can't initialize DAQ nfq (-7) - The nfq DAQ module does not support interface or readback mode!
If I remove "-i eth0", Snort works but do not handle any packets
Thanks for replies
Good Works
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- IPS Inline Mode Erdem Çulcu (Jun 20)
- Re: IPS Inline Mode Matt Martin (Jun 20)
- Re: IPS Inline Mode Y M (Jun 20)
- Re: IPS Inline Mode Erdem Çulcu (Jun 23)
- Re: IPS Inline Mode Y M (Jun 24)
- Re: IPS Inline Mode Erdem Çulcu (Jun 23)
- Message not available
- Message not available
- Fwd: IPS Inline Mode Erdem Çulcu (Jun 24)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: IPS Inline Mode Erdem Çulcu (Jun 24)
- Re: IPS Inline Mode Y M (Jun 27)
- Message not available