[Snort-users] Question for the Guru's

John Liss john at ...15436...
Mon Nov 14 13:42:20 EST 2011

On 11/14/2011 11:17 AM, carlopmart wrote:
> <snip>
>>> See daq docs about af-packet and nfq ...
>> If I may jump in here to forward the conversation, does anyone have an
>> opinion of which is better in-line, af-packet or nfq?
>> I am currently running Snort inline using af-packet (using Gentoo) and
>> NFQ was not originally available in the 2.9.x.x version.
>> -Bill
> Inline is a dead line ... To work with snort as an IPS you need to use
> af-packet or nfq. Better?? Depends on your needs, your network topology
> and your experience with snort.

Thanks for the reply guys!
Sounds like daq with af-packet makes a good test case for us.

Is there a good faq on which is better for af-packet or nfq?

Question:   using snort -D -daq afpacket -Q -c snort.conf -i eth1:eth2
Is snort doing the bridging using eth1:eth2 or do I still have to 
configure iptables to complete the bridge.  Reading the DAQ docs I'm 
still confused.


More information about the Snort-users mailing list