[Snort-users] pcap DAQ does not support inline

Michael Altizer maltizer at ...1935...
Wed Apr 24 15:36:09 EDT 2013


You will not be able to use the AFPacket DAQ module in that scenario.  
The AFPacket DAQ module manually forwards packets completely unmodified 
back and forth across an interface pair (or pairs) when it is in inline 
mode (unless Snort modifies the packet).  This means there will be no 
routing decisions, MAC address updates, or TTL drecrements involved.  
Also, if you're actively having the OS do the routing (or bridging), you 
will end up with duplicate packets being generated by the box.  AFPacket 
operates on copies of packets received on a given interface, and may 
then send out a packet based on that copy in inline mode if the packet 
was not dropped, all of which happens in parallel with any other 
processing the OS is doing with the original packet.

On 04/24/2013 03:11 PM, Joao Daniel Neves wrote:
> YM
> I'm a bit ashamed. What I cant understand is if I'm running Snort in a 
> router and eth0 and eth1 are been used to route packages, I will not 
> be able to use Snort inline mode with this scenario?
>
> I tried (on a test enviroment) and it doesn't seems to work.
>
> I think I may be doing something wrong.
>
> ------------------------------------------------------------------------
> To: joaodanielnevesss at ...125...
> CC: snort-users at lists.sourceforge.net
> From: snort at ...15979...
> Subject: RE: [Snort-users] pcap DAQ does not support inline
> Date: Wed, 24 Apr 2013 19:15:39 +0300
>
> eth0 and eth1 will be used by Snort only to pass traffic inline.
>
> The third interface I mentioned earlier; eth2 will be used for 
> management. In this case you will not be interfering with the traffic.
> ------------------------------------------------------------------------
> From: Joao Daniel Neves <mailto:joaodanielnevesss at ...125...>
> Sent: ?4/?24/?2013 6:56 PM
> To: Y M <mailto:snort at ...15979...>
> Cc: snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] pcap DAQ does not support inline
>
> YM,
>
> But if this pair of interfaces are being used to normal traffic. Example:
>
> /usr/local/bin/snort  ---daq afpacket -Q -c /etc/snort/snort.conf -i 
> eth0:eth1
>
> if a database is listening on interface eth1, I cant acess this 
> database. I cant acess anything listening on eth0 and eth1.
>
> Will I need and a pair of 'idle' interfaces?
>
>
>
> ------------------------------------------------------------------------
> To: joaodanielnevesss at ...125...
> CC: snort-users at lists.sourceforge.net
> From: snort at ...15979...
> Subject: RE: [Snort-users] pcap DAQ does not support inline
> Date: Wed, 24 Apr 2013 17:20:00 +0300
>
> The two interfaces will be used by Snort, you will need a third 
> interface for management, i.e.: ssh, database, etc.
>
> Also don't forget to set the daq mode, look for --daq-mode
>
> I haven't used ipfw, so i can't add on that.
>
> Please, when you reply, reply to the entire list, everybody benefits :)
> ------------------------------------------------------------------------
> From: Joao Daniel Neves <mailto:joaodanielnevesss at ...125...>
> Sent: ?4/?24/?2013 4:28 PM
> To: Y M <mailto:snort at ...15979...>
> Subject: RE: [Snort-users] pcap DAQ does not support inline
>
> HI,
>
> YM,
>
> /usr/local/bin/snort  ---daq afpacket -Q -c /etc/snort/snort.conf -i 
> eth0:eth1
>
> I'm using this line to start snort. As I searched afpacket need two 
> interfaces:
>
> /"In order to have an inline deployment you need at least one pair 
> ofinterfaces for the traffic to flow through. To that end, you need 
> tospecify a second interface for AFPacket to use to complete the bridge."
> /
> But for some reason when I used two interfaces things got weired. I 
> lost SSH acess to snort. I think that the reason is because the 
> traffic flow through one interface to another. Do you have some clues 
> about this issue ?
>
> My avaliable daq modules are
>
> pcap(v3): readback live multi unpriv
> ipfw(v2): live inline multi unpriv
> dump(v1): readback live inline multi unpriv
> afpacket(v4): live inline multi unpriv
>
> With module can I use to enable in line module without needing to 
> specify two interfaces?
> I think that it would be ipfw, but as far as I know ipfw is for bsd 
> and I'm not using bsd.
>
> ------------------------------------------------------------------------
> To: joaodanielnevesss at ...125...; snort-users at lists.sourceforge.net
> From: snort at ...15979...
> Subject: RE: [Snort-users] pcap DAQ does not support inline
> Date: Mon, 22 Apr 2013 18:56:45 +0300
>
> pcap does not support inline mode, it is meant for passive mode only. 
> Instead, use afpacket for inline mode.
>
> To make sure it is installed, run Snort as
>
> snort --daq-list
>
> This will return a list of the installed daq modules.
> ------------------------------------------------------------------------
> From: Joao Daniel Neves <mailto:joaodanielnevesss at ...125...>
> Sent: ?4/?22/?2013 6:47 PM
> To: snort-users at lists.sourceforge.net 
> <mailto:snort-users at lists.sourceforge.net>
> Subject: [Snort-users] pcap DAQ does not support inline
>
> Hi,
>
> I'm getting this error when running Snort in inline mode "ERROR: pcap 
> DAQ does not support inline". I have searched on Google, but did not 
> get any thing usefull. The point is I don't even know why this happening.
>
> What do you suggest ?
>
> *Some informations for debugging: *
>
> /My daq dir is /usr/local/lib/daq
>
> ls /usr/local/lib/daq
> daq_afpacket.la
> daq_afpacket.so
> daq_dump.la
> daq_dump.so
> daq_ipfw.la
> daq_ipfw.so
> daq_pcap.la
> daq_pcap.so
>
> I tryed to start Snort with
>
> /usr/local/bin/snort -Q -i eth1 --daq-dir /usr/local/lib/daq/ -c 
> /etc/snort/snort.conf
> /usr/local/bin/snort -Q -de *--daq nfq* --daq-dir /usr/local/lib/daq 
> -c /etc/snort/snort.conf
> /usr/local/bin/snort  ---daq pcap -Q -c /etc/snort/snort.conf -i eth0:eth1
> /usr/local/bin/snort -Q -c /etc/snort/snort.conf -i eth0:eth1
>
> None of them worked.
>
> Some more informations
>
> /usr/lib/libpcap.a
> /usr/lib/libpcap.so
> /usr/lib/libpcap.so.0
> /usr/lib/libpcap.so.0.9
> /usr/lib/libpcap.so.0.9.4
> /usr/lib/libpcap.so.1
> /usr/lib/libpcap.so.1.3.0
> /usr/lib64/libpcap.so.0
> /usr/lib64/libpcap.so.0.9
> /usr/lib64/libpcap.so.0.9.4
> /usr/local/lib/libpcap.a
> /usr/local/lib/libpcap.so
> /usr/local/lib/libpcap.so.1
> /usr/local/lib/libpcap.so.1.3.0
> /usr/local/lib/daq/daq_pcap.la
> /usr/local/lib/daq/daq_pcap.so/
>
> Maybe those multiple versions of pcap are causing the error ?
>
> ------------------------------------------------------------------------------ 
> Precog is a next-generation analytics platform capable of advanced 
> analytics on semi-structured data. The platform includes APIs for 
> building apps and a phenomenal toolset for data science. Developers 
> can use our toolset for easy data analysis & visualization. Get a free 
> account! http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________ Snort-users mailing 
> list Snort-users at lists.sourceforge.net Go to this URL to change user 
> options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive: 
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130424/8a07be97/attachment.html>


More information about the Snort-users mailing list