[Snort-devel] AFPACKET Inline mode: dropping do not work

Oleg Gvozdev jktu17 at ...2499...
Tue May 21 05:12:44 EDT 2013


I have a problem with IPS mode.

I wonder how afpacket can drop/block traffic.

1.I saw daq-1.1.1/xxx/daq_afpacket.c : daq_acquire() use raw socket and
kernel rx_ring to receive ethernet data.
2. on each packet snort callback is called and if verdict after callback is
PASS, then daq use sento() to send packet on interface ; else: if verdict
is DROP - then nothing is sendig.
3.I comment sendto call in daq so any traffic will not be sent, but ICMP
pings for example go through snort as if snort was disabled.

So - I can not see how dropping can be done by daq: using only raw sockets
i think is not enough..?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130521/0990bed0/attachment.html>


More information about the Snort-devel mailing list