[Snort-users] Question for the Guru's

Joel Esler jesler at ...1935...
Thu Nov 17 09:52:39 EST 2011

We would be welcome to any in-line documentation someone would like to provide.

We currently just don't have the time to be able to sit down and write it.

Sent from my iPhone

On Nov 16, 2011, at 6:02 PM, John Liss <john at ...15436...> wrote:

> <snip>
>>> Yes Snort does the bridging.
>>> You do not create a bridge as daq does that for you. I simply (after
>>> asking the same question) added this into snort.conf:
>>> config daq: afpacket
>>> config daq_dir: /usr/lib64/daq
>>> config daq_mode: inline
>>> config daq_var: buffer_size_mb=256
>>> Where you spec eth0:eth1 ( or whatever) can be distro specific.
>>> I would imagine using NFQ would offer more control via iptables but have
>>> yet to push down that road. Af-packet works well.
>>> -Bill
>> Thanks Bill!  I'm off in the right direction!
>> -John
> Thanks again Bill for the boot in the right direction!
> Ubuntu 10.04 LTS is working great with using afpacket.
> Drops packets wonderfully where told to do so : ]]
> I guess someone needs (possibly me) to toss something to the 
> snort-team at ...1935... for a inline config doc.
> -John
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure 
> contains a definitive record of customers, application performance, 
> security threats, fraudulent activity, and more. Splunk takes this 
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list