[Snort-devel] DAQ 2.0.2, NFQ - DAQ error when trying to start snort

Peter Fyon peter.fyon at ...2499...
Sat Oct 4 10:42:40 EDT 2014


Thanks Hui,

I removed the -i eth0 from my snort command line options and it started
without the warning. Not quite sure why the DAQ fails to load if you
specify an interface for snort since, as I found by commenting out that
chunk of code, it looks like the DAQ options override the snort ones.

Peter

On Tue, Sep 30, 2014 at 2:52 PM, Hui Cao (huica) <huica at ...3461...> wrote:

>  Hi Peter,
>
>  The code is to check whether you have configured the interface.  NFQ
> will not allow interface. So I guess you have specified interface in your
> configuration.
>
>  Best,
> Hui.
>
>   From: Peter Fyon <peter.fyon at ...2499...>
> Date: Sunday, September 28, 2014 at 3:09 PM
> To: "snort-devel at lists.sourceforge.net" <snort-devel at lists.sourceforge.net
> >
> Subject: [Snort-devel] DAQ 2.0.2, NFQ - DAQ error when trying to start
> snort
>
>   Hi Snort-devel,
>
>  While trying to enable active defense on my snort setup (single
> interface on a SPAN port), I ran into this error:
>
>  The nfq DAQ module does not support interface or readback mode!
>
>  My C's a bit rusty, but looking at the code (see diff at the bottom) it
> seems like it just checks to see if the DAQ_Config_t name is set and fails
> out if so. I can't see the commit log so I don't know why this block of
> code was added, but everything works fine after commenting it out and
> recompiling. Did I just work around something that I shouldn't have?
>
>  daq_nfq.c
>  200,204c200,204
>   <     if(cfg->name && *(cfg->name))
> <     {
> <         snprintf(errBuf, errMax, "The nfq DAQ module does not support
> interface or readback mode!");
> <         return DAQ_ERROR_INVAL;
> <     }
> ---
> > //    if(cfg->name && *(cfg->name))
> > //    {
> > //        snprintf(errBuf, errMax, "The nfq DAQ module does not support
> interface or readback mode!");
> > //        return DAQ_ERROR_INVAL;
> > //    }
>
>
>  Peter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141004/e5d00143/attachment.html>


More information about the Snort-devel mailing list