[Snort-users] snort daqs capabilities
mark.greenman.014 at ...11827...
Mon Dec 8 09:40:11 EST 2014
Hi. I am new to snort and I am confused about some actions performed
by some daqs.
I am trying to use react rule option to block some applications (using
appid rule option) and send another web page instead.
Three scenarios where examined:
1- snort using pcap daq when listening on the interface connected to
the server network,
2- snort using pcap daq when listening on the interface connected to
the client network,
3- snort using nfq daq for extracting packets from a user space queue.
when pcap on the client side interface is used, the connection is
destroyed successfully and the webpage is sent to the client. How is
it possible for pcap to drop packets if it is not in inline mode? or,
is pcap running in inline mode?
when pcap on the server side interface is used, the connection is
destroyed again but no webpage is sent to the client? What do you
think is the reason for that?
Finally, when nfq is used, again the connection is destroyed (which is
normal) but the page is not sent to the client. What is the reason for
Thank you very much
More information about the Snort-users