[Snort-users] From IDS to IPS

Teo En Ming teo.en.ming at ...11827...
Mon Apr 7 12:31:31 EDT 2014


Dear James,

May I know what is nfq?

After reading through your email, I still have no idea how to go about
converting Snort from IDS to IPS.

Could you write a more detailed manual, covering every single step along
the way?

Teo En Ming


On Mon, Apr 7, 2014 at 11:19 PM, James Lay <jlay at ...13475...> wrote:

> I've converted from IDS to IPS on a slackware box, so I thought I'd
> share how to get nfq working:
>
> install the below lib/dev
> libmnl
> libnfnetlink
> libnetfilter_queue
> recompile libdnet
> recompile daq
> recompile snort
>
> Specific to slackware I had to compile the lib* from source with:
>
> ./configure --prefix=/usr --libdir=/usr/lib64
>
> Regardless of distro (I got this working with Ubuntu as well),
> recompiling libdnet AFTER installing the new lib* packages above is the
> secret to getting snort to see nfq....even though daq ./configure may
> show you have everything:
>
> Build AFPacket DAQ module.. : yes
> Build Dump DAQ module...... : yes
> Build IPFW DAQ module...... : yes
> Build IPQ DAQ module....... : yes
> Build NFQ DAQ module....... : yes
> Build PCAP DAQ module...... : yes
>
> if you don't recompile libdnet after installing new libmnl,
> libnfnetlink, and libnetfilter_queue snort itself will not see nfq:
>
> Available DAQ modules:
> pcap(v3): readback live multi unpriv
> nfq(v7): live inline multi
> ipq(v6): live inline multi
> ipfw(v3): live inline multi unpriv
> dump(v2): readback live inline multi unpriv
> afpacket(v5): live inline multi unpriv
>
> Hope this will help those trying to get inline to work.  Also keep in
> mind that ipq is no longer supported with Ubuntu 13 and above.
>
> James
>
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees_APR
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140408/78e12916/attachment.html>


More information about the Snort-users mailing list