[Snort-users] Question for the Guru's

John Liss john at ...15436...
Mon Nov 14 14:18:08 EST 2011


On 11/14/2011 12:07 PM, NA wrote:
> On 11/14/11 10:42 AM, John Liss wrote:
>> On 11/14/2011 11:17 AM, carlopmart wrote:
>>> <snip>
>>>>> See daq docs about af-packet and nfq ...
>>>> If I may jump in here to forward the conversation, does anyone have an
>>>> opinion of which is better in-line, af-packet or nfq?
>>>> I am currently running Snort inline using af-packet (using Gentoo) and
>>>> NFQ was not originally available in the 2.9.x.x version.
>>>> -Bill
>>>>
>>> Inline is a dead line ... To work with snort as an IPS you need to use
>>> af-packet or nfq. Better?? Depends on your needs, your network topology
>>> and your experience with snort.
>>>
>> Thanks for the reply guys!
>> Sounds like daq with af-packet makes a good test case for us.
>>
>> Is there a good faq on which is better for af-packet or nfq?
>>
>> Question:   using snort -D -daq afpacket -Q -c snort.conf -i eth1:eth2
>> Is snort doing the bridging using eth1:eth2 or do I still have to
>> configure iptables to complete the bridge.  Reading the DAQ docs I'm
>> still confused.
>>
>> -John
>
> Yes Snort does the bridging.
> You do not create a bridge as daq does that for you. I simply (after
> asking the same question) added this into snort.conf:
>
> config daq: afpacket
> config daq_dir: /usr/lib64/daq
> config daq_mode: inline
> config daq_var: buffer_size_mb=256
> Where you spec eth0:eth1 ( or whatever) can be distro specific.
>
> I would imagine using NFQ would offer more control via iptables but have
> yet to push down that road. Af-packet works well.
>
> -Bill

Thanks Bill!  I'm off in the right direction!
-John





More information about the Snort-users mailing list