[Snort-users] Question for the Guru's

John Liss john at ...15436...
Wed Nov 16 18:02:40 EST 2011


<snip>
>> Yes Snort does the bridging.
>> You do not create a bridge as daq does that for you. I simply (after
>> asking the same question) added this into snort.conf:
>>
>> config daq: afpacket
>> config daq_dir: /usr/lib64/daq
>> config daq_mode: inline
>> config daq_var: buffer_size_mb=256
>> Where you spec eth0:eth1 ( or whatever) can be distro specific.
>>
>> I would imagine using NFQ would offer more control via iptables but have
>> yet to push down that road. Af-packet works well.
>>
>> -Bill
> Thanks Bill!  I'm off in the right direction!
> -John

Thanks again Bill for the boot in the right direction!
Ubuntu 10.04 LTS is working great with 2.9.1.2 using afpacket.

Drops packets wonderfully where told to do so : ]]
I guess someone needs (possibly me) to toss something to the 
snort-team at ...1935... for a inline config doc.

-John





More information about the Snort-users mailing list