[Snort-users] From IDS to IPS

James Lay jlay at ...13475...
Mon Apr 7 11:19:44 EDT 2014


I've converted from IDS to IPS on a slackware box, so I thought I'd 
share how to get nfq working:

install the below lib/dev
libmnl
libnfnetlink
libnetfilter_queue
recompile libdnet
recompile daq
recompile snort

Specific to slackware I had to compile the lib* from source with:

./configure --prefix=/usr --libdir=/usr/lib64

Regardless of distro (I got this working with Ubuntu as well), 
recompiling libdnet AFTER installing the new lib* packages above is the 
secret to getting snort to see nfq....even though daq ./configure may 
show you have everything:

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : yes
Build NFQ DAQ module....... : yes
Build PCAP DAQ module...... : yes

if you don't recompile libdnet after installing new libmnl, 
libnfnetlink, and libnetfilter_queue snort itself will not see nfq:

Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipq(v6): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

Hope this will help those trying to get inline to work.  Also keep in 
mind that ipq is no longer supported with Ubuntu 13 and above.

James





More information about the Snort-users mailing list