[Snort-users] snort daqs capabilities

Mark Greenman mark.greenman.014 at ...11827...
Mon Dec 8 09:40:11 EST 2014


Hi. I am new to snort and I am confused about some actions performed
by some daqs.
I am trying to use react rule option to block some applications (using
appid rule option) and send another web page instead.

Three scenarios where examined:
1- snort using pcap daq when listening on the interface connected to
the server network,
2- snort using pcap daq when listening on the interface connected to
the client network,
3- snort using nfq daq for extracting packets from a user space queue.

when pcap on the client side interface is used, the connection is
destroyed successfully and the webpage is sent to the client. How is
it possible for pcap to drop packets if it is not in inline mode? or,
is pcap running in inline mode?
when pcap on the server side interface is used, the connection is
destroyed again but no webpage is sent to the client? What do you
think is the reason for that?
Finally, when nfq is used, again the connection is destroyed (which is
normal) but the page is not sent to the client. What is the reason for
this one?

Thank you very much
Mark.




More information about the Snort-users mailing list