Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Trouble Enabling Snort for IPv4 & IPv6 Simultaneously Using NFQ

From: Daniel Ayoub <daniel () ayoub it>
Date: Mon, 26 Oct 2015 11:48:49 -0700
Hi!

I've been trying to get a single instance of Snort to work with NFQ daq for
both IPv4 and IPv6 traffic simultaneously for the last few days but am
having trouble getting it to work. I'm running Snort 2.9.7.6 and DAQ 2.0.6
- snort has been compiled with --enable-ipv6 flag set. According to
documentation it looks this should be possible by specifying the 'ip*'
protocol within the NFQ daq-variables.

Not sure if this is a known bug, system limitation, or error in
documentation but would very much appreciate some input on this.

Is it possible to use a single instance of Snort to monitor IPv4 and IPv6
traffic simultaneously while using NFQ DAQ?

I understand that I can run an instance with for each mode separately; that
works but is not ideal.

Here's manual entry for the feature I'm trying to use...
1.5.4 NFQ
NFQ is the new and improved way to process iptables packets:

    ./snort --daq nfq \
        [--daq-var device=<dev>] \
        [--daq-var proto=<proto>] \
        [--daq-var queue=<qid>] \
        [--daq-var queue_len=<qlen>]

    <dev> ::= ip | eth0, etc; default is IP injection
    <proto> ::= ip4 | ip6 | ip*; default is ip4
    <qid> ::= 0..65535; default is 0
    <qlen> ::= 0..65535; default is 0

Here's part of the config I'm trying to use..
config daq: nfq
config daq_dir: /usr/lib/daq/
config daq_mode: inline
config daq_var: queue=11
config daq_var: proto=ip*

Here's the output I receive when trying to test the config...

nfq DAQ configured to inline.
ERROR: Can't initialize DAQ nfq (-1) - nfq_daq_get_setup: bad proto (ip*)
Fatal Error, Quitting..

When I searched for nfq_daq_get_setup function, I found it in DAQ source
file
/daq-2.0.6/os-daq-modules/daq_nfq.c

However, it appears support for this capability was commented out with a
note...

static int nfq_daq_get_protos (const char* s)
{
    if ( !s || !strncasecmp(s, "ip4", 3) )
        return 0x1;

    if ( !strncasecmp(s, "ip6", 3) )
        return 0x2;

#if 0
    // doesn't look like both can be handled simultaneously
    if ( !strncasecmp(s, "ip*", 3) )
        return 0x3;
#endif
    return 0;
}

Based on the comment it seems to be a known issue however the comment
conflicts with the documentation so I'm unsure if this is a bug or what. Is
there a way to make this work? Any idea how to implement this capability
using a work-around?

Thanks,
Daniel

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: