[Snort-devel] Snort inline packet acquisition

Kayvan Javid kayvan.javid at ...3040...
Wed Oct 21 11:31:39 EDT 2009


The only current method to capture packets with Snort in inline mode is
to use the ip_queue kernel module and setup an iptables redirect to the
the QUEUE target.

The problem being since kernel 2.6.x was released this module and packet
acquisition method has be deprecated in favor of the more flexible
nfnetlink_queue, which supports multiple queues etc.

The branched snort-inline project has had support for using nfqueue for
years, why, even when Sourcefire integrated the inline functionality
from this branch, has support for this not been added?

Furthermore, even in Snort 3 beta, the current DAQs do not allow for
inline mode to operate on a single nic like Snort 2 currently does, as
it only supports pcap, from file or afpacket, which can only operate
over a bridge.

What options do I have if I do not want to use a deprecated module
ip_queue to get the inline functionality?

Thanks Kave




More information about the Snort-devel mailing list