[Snort-devel] DAQ 2.0.2, NFQ - DAQ error when trying to start snort

Russ Combs (rucombs) rucombs at ...3461...
Sat Oct 4 16:00:25 EDT 2014


________________________________
From: Peter Fyon [peter.fyon at ...2499...]
Sent: Saturday, October 04, 2014 10:42 AM
To: Hui Cao (huica)
Cc: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] DAQ 2.0.2, NFQ - DAQ error when trying to start snort

Thanks Hui,

I removed the -i eth0 from my snort command line options and it started without the warning. Not quite sure why the DAQ fails to load if you specify an interface for snort since, as I found by commenting out that chunk of code, it looks like the DAQ options override the snort ones.

* The NFQ DAQ gets packets via iptables, not directly from an interface.  Snort could just ignore the -i option in that case, but it errs on the side of letting you know when something fundamentally won't work as configured.

Peter

On Tue, Sep 30, 2014 at 2:52 PM, Hui Cao (huica) <huica at ...3461...<mailto:huica at ...3461...>> wrote:
Hi Peter,

The code is to check whether you have configured the interface.  NFQ will not allow interface. So I guess you have specified interface in your configuration.

Best,
Hui.

From: Peter Fyon <peter.fyon at ...2499...<mailto:peter.fyon at ...2499...>>
Date: Sunday, September 28, 2014 at 3:09 PM
To: "snort-devel at lists.sourceforge.net<mailto:snort-devel at ...362....net>" <snort-devel at lists.sourceforge.net<mailto:snort-devel at ...2763...rge.net>>
Subject: [Snort-devel] DAQ 2.0.2, NFQ - DAQ error when trying to start snort

Hi Snort-devel,

While trying to enable active defense on my snort setup (single interface on a SPAN port), I ran into this error:

The nfq DAQ module does not support interface or readback mode!

My C's a bit rusty, but looking at the code (see diff at the bottom) it seems like it just checks to see if the DAQ_Config_t name is set and fails out if so. I can't see the commit log so I don't know why this block of code was added, but everything works fine after commenting it out and recompiling. Did I just work around something that I shouldn't have?

daq_nfq.c
200,204c200,204
<     if(cfg->name && *(cfg->name))
<     {
<         snprintf(errBuf, errMax, "The nfq DAQ module does not support interface or readback mode!");
<         return DAQ_ERROR_INVAL;
<     }
---
> //    if(cfg->name && *(cfg->name))
> //    {
> //        snprintf(errBuf, errMax, "The nfq DAQ module does not support interface or readback mode!");
> //        return DAQ_ERROR_INVAL;
> //    }


Peter

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141004/1d944881/attachment.html>


More information about the Snort-devel mailing list