[Snort-users] Snort 18.104.22.168 inline mode problem
jlay at ...13475...
Wed Aug 27 15:20:05 EDT 2014
On 2014-08-27 13:12, Debason Shockre wrote:
>> But your --daq-mode inline is the issue....that sets up the Snort
>> controlled bridge.
> Can you please elaborate why is it an issue, and how do you setup IPS
> with afpacket?
And from the daq source README:
afpacket functions similar to the pcap DAQ but with better performance:
./snort --daq afpacket -i <device>
If you want to run afpacket in inline mode, you must set device to one
interface pairs, where each member of a pair is separated by a single
each pair is separated by a double colon like this:
By default, the afpacket DAQ allocates 128MB for packet memory. You
Note that the total allocated is actually higher, here's why. Assuming
default packet memory with a snaplen of 1518, the numbers break down
* The frame size is 1518 (snaplen) + the size of the AFPacket header
bytes) = 1584 bytes.
* The number of frames is 128 MB / 1518 = 84733.
* The smallest block size that can fit at least one frame is 4 KB =
@ 2 frames per block.
* As a result, we need 84733 / 2 = 42366 blocks.
* Actual memory allocated is 42366 * 4 KB = 165.5 MB.
NOTE: Linux kernel version 2.6.31 or higher is required for the
module due to its dependency on both TPACKET v2 and PACKET_TX_RING
NFQ is the new and improved way to process iptables packets:
./snort --daq nfq \
[--daq-var device=<dev>] \
[--daq-var proto=<proto>] \
<dev> ::= ip | eth0, etc; default is IP injection
<proto> ::= ip4 | ip6 |; default is ip4
<qid> ::= 0..65535; default is 0
This module can not run unprivileged so ./snort -u -g will produce a
and won't change user or group.
Hey Joel, is the daq source on github by chance?
More information about the Snort-users