[Snort-users] PF_RING and DAQ compile (0.6.2, and 2.0.0)

Avery Rozar Avery.Rozar at ...16118...
Thu Jun 27 13:22:25 EDT 2013


In the /etc/sysconfig/snort file. To my knowledge the DAQ can not use a
bridge interface, just binding the two together. That’s how afpacket is
working for me anyway. It just errors out when trying to use pfring.

#### General Configuration
# Inline? Set to 1 if yes: Else, set to 0
QUEUE=1

# What interface should snort listen on?  [Pick only 1 of the next 3!]
# This is -i {interface} on the command line
# This is the snort.conf config interface: {interface} directive
INTERFACE=eth2:eth3






On 6/27/13 1:05 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:

>On 6/27/2013 12:51, Avery Rozar wrote:
>> The original error was on a KVM VM. I was using eth1:eth2 and got that
>> error. I moved it to the host, and am now using eth2:eth3 and got the
>>same
>> error but it did state "eth2". I just copied the original error for the
>> post, that¹s why eth1 is in it. No matter what interface I use, I get
>>the
>> same error.
>
>ahhh... you are bridging eth2 and eth3?? doesn't that create another
>interface? 
>br1 or such? where and how are you specifying this eth2:eth3??
>
>> On 6/27/13 12:04 PM, "waldo kitty"<wkitty42 at ...14940...>  wrote:
>>
>>> On 6/27/2013 11:02, Avery Rozar wrote:
>>>> Thank you for your answer Tim, I can only assume that you answered my
>>>> first question on the Meteflows group. I'm getting an error "FATAL
>>>> ERROR:
>>>> Can't start DAQ (-1) - pfring_open(): unable to open device 'eth1'.
>>>> Please
>>>
>>> eth1...
>>>
>>>> use -i<device>!" when I try to start snort using pfring. I thought
>>>>maybe
>>>> is was due to the DAQ compile error. I moved snort off the VM, and on
>>>> the
>>>> physical host, and disabled selinux. I still get the same error. Would
>>>> it
>>>> be due to the default bnx2 driver, or pfring license issue? Any help
>>>>is
>>>> greatly appreciated.
>>>>
>>>>
>>>> ethtool -i eth2
>>>
>>> eth2...  not the same as above... why? ;)
>
>
>
>-- 
>NOTE: No off-list assistance is given without prior approval.
>       Please keep mailing list traffic on the list unless
>       private contact is specifically requested and granted.
>
>--------------------------------------------------------------------------
>----
>This SF.net email is sponsored by Windows:
>
>Build for Windows Store.
>
>http://p.sf.net/sfu/windows-dev2dev
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest
>Snort news!



More information about the Snort-users mailing list