[Snort-users] Question for the Guru's

NA dustypath at ...5068...
Mon Nov 14 14:07:24 EST 2011


On 11/14/11 10:42 AM, John Liss wrote:
> On 11/14/2011 11:17 AM, carlopmart wrote:
>> <snip>
>>>> See daq docs about af-packet and nfq ...
>>> If I may jump in here to forward the conversation, does anyone have an
>>> opinion of which is better in-line, af-packet or nfq?
>>> I am currently running Snort inline using af-packet (using Gentoo) and
>>> NFQ was not originally available in the 2.9.x.x version.
>>> -Bill
>>>
>> Inline is a dead line ... To work with snort as an IPS you need to use
>> af-packet or nfq. Better?? Depends on your needs, your network topology
>> and your experience with snort.
>>
> Thanks for the reply guys!
> Sounds like daq with af-packet makes a good test case for us.
>
> Is there a good faq on which is better for af-packet or nfq?
>
> Question:   using snort -D -daq afpacket -Q -c snort.conf -i eth1:eth2
> Is snort doing the bridging using eth1:eth2 or do I still have to 
> configure iptables to complete the bridge.  Reading the DAQ docs I'm 
> still confused.
>
> -John


Yes Snort does the bridging.
You do not create a bridge as daq does that for you. I simply (after
asking the same question) added this into snort.conf:

config daq: afpacket
config daq_dir: /usr/lib64/daq
config daq_mode: inline
config daq_var: buffer_size_mb=256
Where you spec eth0:eth1 ( or whatever) can be distro specific.

I would imagine using NFQ would offer more control via iptables but have
yet to push down that road. Af-packet works well.

-Bill




More information about the Snort-users mailing list