[Snort-users] Trouble getting PF_Ring DNA and DAQ to work
Xavier Van Pottelbergh
Xavier.VanPottelbergh at ...16804...
Fri Apr 18 10:04:00 EDT 2014
I'm a student trying to set up snort.
I've ran into trouble trying to get multiple snort instances listening on one interface (I have too much traffic for one instance to handle).
I'm using a RHEL 6.5 server
,,_ -*> Snort! <*-
o" )~ Version 188.8.131.52 GRE (Build 47)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.5.3
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.
PF_RING version: PF_RING-5.6.2
I removed the driver and pf_ring modules (if they were loaded)
I loaded the driver:
I loaded pf_ring:
Insmod pf_ring.ko transparent_mode=0 min_num_slots=16384"
I compiled daq with the following options:
./configure -disable-nfq-module -disable-ipq-module -with-libpcap-includes=/usr/local/include -with-libpcap-libraries=/usr/local/lib"
Made the PF_RING DAQ Module:
Compiled snort like this:
./configure -with-libpcap-includes=/usr/local/include -with-libpcap-libraries=/usr/local/lib -with-libpfring-includes=/usr/local/include/daq -with-libpfring-includes=/usr/local/lib/daq -enable-sourcefire -enable-perfprofiling
I modified this into my init.d script:
"for i in 1 2 3 4 5 6 7 8; do
daemon /usr/sbin/snort -A Fast -N -D -i dna1@$i -u snort -g snort -c /etc/snort/snort.conf -daq-dir=/usr/local/lib/daq -daq-mode passive -daq pfring &
Each snort instance then fails with:
"pfring DAQ configured to passive.
FATAL ERROR: Can't initialize DAQ pfring (-1) - "
When I run snort without the daq-configuration options, snort fails with the following message:
"pcap DAQ configured to passive.
Acquiring network traffic from "dna1 at ...2546...".
Initializing daemon mode
Daemon initialized, signaled parent pid: 24786
Reload thread starting...
Reload thread started, thread 0x7f149cb45700 (25309)
FATAL ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!"
The 'ip link list' command shows dna1 as up
If you need more info, please ask so I can provide it.
Thank you in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users