[Snort-users] Trouble getting PF_Ring DNA and DAQ to work

Xavier Van Pottelbergh Xavier.VanPottelbergh at ...16804...
Fri Apr 18 10:04:00 EDT 2014


Hi,

I'm a student trying to set up snort.

I've ran into trouble trying to get multiple snort instances listening on one interface (I have too much traffic for one instance to handle).

I'm using a RHEL 6.5 server
Snort version:
  ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.5.3
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.
DAQ-version: daq-2.0.2
PF_RING version: PF_RING-5.6.2

I removed the driver and pf_ring modules (if they were loaded)
"rmmod ixgbe.ko
Rmmod pf_ring.ko"

I loaded the driver:
"cd /root/PF_RING-5.6.2/drivers/DNA/ixgbe-3.18.7-DNA/src/
Make
Insmod ixgbe.ko"

I loaded pf_ring:
"cd /root/PF_RING-5.6.2/kernel/
Make
Make install
Insmod pf_ring.ko transparent_mode=0 min_num_slots=16384"

I compiled daq with the following options:
"cd /root/daq-2.0.2/
./configure -disable-nfq-module -disable-ipq-module -with-libpcap-includes=/usr/local/include -with-libpcap-libraries=/usr/local/lib"

Made the PF_RING DAQ Module:
"cd /root/PF_RING-5.6.2/userland/snort/pfring-daq-module/
Autoreconf -ivf
./configure
Make
Make install"

Compiled snort like this:
"cd /root/snort-2.9.6.0/
./configure -with-libpcap-includes=/usr/local/include -with-libpcap-libraries=/usr/local/lib -with-libpfring-includes=/usr/local/include/daq -with-libpfring-includes=/usr/local/lib/daq -enable-sourcefire -enable-perfprofiling
Make
Make install"

I modified this into my init.d script:
"for i in 1 2 3 4 5 6 7 8; do
      daemon /usr/sbin/snort -A Fast -N -D -i dna1@$i -u snort -g snort -c /etc/snort/snort.conf -daq-dir=/usr/local/lib/daq -daq-mode passive -daq pfring &
done"

Each snort instance then fails with:
"pfring DAQ configured to passive.
FATAL ERROR: Can't initialize DAQ pfring (-1) - "

When I run snort without the daq-configuration options, snort fails with the following message:
"pcap DAQ configured to passive.
Acquiring network traffic from "dna1 at ...2546...".
Initializing daemon mode
Daemon initialized, signaled parent pid: 24786
Reload thread starting...
Reload thread started, thread 0x7f149cb45700 (25309)
FATAL ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!"
The 'ip link list' command shows dna1 as up

If you need more info, please ask so I can provide it.

Thank you in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140418/755091ad/attachment.html>


More information about the Snort-users mailing list