[Snort-devel] AFPACKET Inline mode: dropping do not work

Russ Combs rcombs at ...402...
Tue May 21 08:12:44 EDT 2013


Suggest starting with double checking your configuration.  Did you
bridge the interfaces?

On Tue, May 21, 2013 at 5:12 AM, Oleg Gvozdev <jktu17 at ...2499...> wrote:
> I have a problem with IPS mode.
>
> I wonder how afpacket can drop/block traffic.
>
> 1.I saw daq-1.1.1/xxx/daq_afpacket.c : daq_acquire() use raw socket and
> kernel rx_ring to receive ethernet data.
> 2. on each packet snort callback is called and if verdict after callback is
> PASS, then daq use sento() to send packet on interface ; else: if verdict is
> DROP - then nothing is sendig.
> 3.I comment sendto call in daq so any traffic will not be sent, but ICMP
> pings for example go through snort as if snort was disabled.
>
> So - I can not see how dropping can be done by daq: using only raw sockets i
> think is not enough..?
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list