[Snort-users] Snort 2.9.6.2 inline mode problem

James Lay jlay at ...13475...
Wed Aug 27 15:20:05 EDT 2014


On 2014-08-27 13:12, Debason Shockre wrote:
>> But your --daq-mode inline is the issue....that sets up the Snort
>> controlled bridge.
>>
>> James
>
> Can you please elaborate why is it an issue, and how do you setup IPS
> with afpacket?
>
> Thanks.

First doc:
https://github.com/vrtadmin/snort-faq/blob/master/docs/README.daq

And from the daq source README:
AFPACKET Module
===============

afpacket functions similar to the pcap DAQ but with better performance:

     ./snort --daq afpacket -i <device>
             [--daq-var buffer_size_mb=<#MB>]
             [--daq-var debug]

If you want to run afpacket in inline mode, you must set device to one 
or more
interface pairs, where each member of a pair is separated by a single 
colon and
each pair is separated by a double colon like this:

     eth0:eth1

or this:

     eth0:eth1::eth2:eth3

By default, the afpacket DAQ allocates 128MB for packet memory.  You 
can change
this with:

     --daq-var buffer_size_mb=<#MB>

Note that the total allocated is actually higher, here's why.  Assuming 
the
default packet memory with a snaplen of 1518, the numbers break down 
like this:

* The frame size is 1518 (snaplen) + the size of the AFPacket header 
(66
   bytes) = 1584 bytes.

* The number of frames is 128 MB / 1518 = 84733.

* The smallest block size that can fit at least one frame is  4 KB = 
4096 bytes
   @ 2 frames per block.

* As a result, we need 84733 / 2 = 42366 blocks.

* Actual memory allocated is 42366 * 4 KB = 165.5 MB.

NOTE: Linux kernel version 2.6.31 or higher is required for the 
AFPacket DAQ
module due to its dependency on both TPACKET v2 and PACKET_TX_RING 
support.


NFQ Module
==========

NFQ is the new and improved way to process iptables packets:

     ./snort --daq nfq \
         [--daq-var device=<dev>] \
         [--daq-var proto=<proto>] \
         [--daq-var queue=<qid>]

     <dev> ::= ip | eth0, etc; default is IP injection
     <proto> ::= ip4 | ip6 |; default is ip4
     <qid> ::= 0..65535; default is 0

This module can not run unprivileged so ./snort -u -g will produce a 
warning
and won't change user or group.


Hey Joel, is the daq source on github by chance?

James




More information about the Snort-users mailing list