[Snort-users] IPS Inline Mode

Matt Martin MMartin at ...16693...
Fri Jun 20 12:34:17 EDT 2014


I can’t answer your other questions, but I was also having issues with DAQ because when I was compiling DAQ it wasn’t successfully building IPQ and NFQ Modules so I also saw that error. But I did finally get it compiled with the modules I wanted. The problem was daq couldn’t find certain header/.so files in my lib dirs because I was running on 64-bit and it was checking the standard “/usr/lib” dirs. instead of my “lib64” dirs.. I fixed it by creating symbolic links to the .so files it was looking for in the standard “lib” dirs.

If you run the command below you should see a list of available DAQ Modules:
            # snort --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

Hope that helps…


From: Erdem Çulcu [mailto:erdem at ...16870...]
Sent: Friday, June 20, 2014 4:51 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] IPS Inline Mode


I am new on Snort

I installed with guide and run IDS mode.

I have two problems.

Firstly, Snort handle only host machine packets. I write some rules example:
alert tcp any any -> any any (content:"www.facebook.com<http://www.facebook.com>";msg:"Facebook Accessing";sid:1000001;)

This rule works only machine which installed Snort. Other machines accesses are not handled.

Other problem is Inline Mode.

I run with this command

snort --daq nfq -Q -c /etc/snort/snort.conf  --daq-dir /usr/local/lib/daq --daq-var device=eth0 -i eth0

Snort gives this error

ERROR: Can't initialize DAQ nfq (-7) - The nfq DAQ module does not support interface or readback mode!

If I remove "-i eth0", Snort works but do not handle any packets

Thanks for replies

Good Works
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140620/e745cab7/attachment.html>

More information about the Snort-users mailing list