[Snort-users] IPS Inline Mode

Erdem Çulcu erdem at ...16870...
Fri Jun 20 06:54:20 EDT 2014


I run with your command. I told you in previous messages. Snort doesnt
capture any packets with this command,

And Result

Run time for packet processing was 22.16156 seconds
Snort processed 0 packets.
Snort ran for 0 days 0 hours 0 minutes 22 seconds
   Pkts/sec:            0



On Fri, Jun 20, 2014 at 1:50 PM, Meysam Farazmand <
farazmand.meisam at ...11827...> wrote:

> Hi Erdem,
>
> Maybe it would better to install snort and dependencies from source. But
> no matter. Run snort with this command:
>
> snort -v -c /etc/snort/snort.conf -Q --daq nfq --daq-var device=eth0
>
> I put my snort config file in /etc/snort. So if you put it in another
> location, change it in the above command. Also note to enable nfq daq in
> snort config file.
> On Jun 20, 2014 3:12 PM, "Erdem Çulcu" <erdem at ...16870...> wrote:
>
>> Hi Meysam,
>>
>> I installed these libs  and  libdnet-1.12.
>>
>> [image: Inline image 1]
>>
>> And I run --daq-list command
>>
>> Available DAQ modules:
>> pcap(v3): readback live multi unpriv
>> nfq(v7): live inline multi
>> ipfw(v3): live inline multi unpriv
>> dump(v2): readback live inline multi unpriv
>> afpacket(v5): live inline multi unpriv
>>
>> Snort gives this response.
>>
>> On Fri, Jun 20, 2014 at 12:32 PM, Meysam Farazmand <
>> farazmand.meisam at ...11827...> wrote:
>>
>>> Hi Erdem,
>>>
>>> Did you installed nfq library from netfilter.org?
>>> On Jun 20, 2014 1:55 PM, "Erdem Çulcu" <erdem at ...16870...> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am new on Snort
>>>>
>>>> I installed with guide and run IDS mode.
>>>>
>>>> I have two problems.
>>>>
>>>> Firstly, Snort handle only host machine packets. I write some rules
>>>> example:
>>>> alert tcp any any -> any any (content:"www.facebook.com";msg:"Facebook
>>>> Accessing";sid:1000001;)
>>>>
>>>> This rule works only machine which installed Snort. Other machines
>>>> accesses are not handled.
>>>>
>>>> Other problem is Inline Mode.
>>>>
>>>> I run with this command
>>>>
>>>> snort --daq nfq -Q -c /etc/snort/snort.conf  --daq-dir
>>>> /usr/local/lib/daq --daq-var device=eth0 -i eth0
>>>>
>>>> Snort gives this error
>>>>
>>>> ERROR: Can't initialize DAQ nfq (-7) - The nfq DAQ module does not
>>>> support interface or readback mode!
>>>>
>>>> If I remove "-i eth0", Snort works but do not handle any packets
>>>>
>>>> Thanks for replies
>>>>
>>>> Good Works
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk
>>>> Solutions
>>>> Find What Matters Most in Your Big Data with HPCC Systems
>>>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>>>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>>>> http://p.sf.net/sfu/hpccsystems
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140620/c866b839/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1. Step.png
Type: image/png
Size: 281703 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140620/c866b839/attachment.png>


More information about the Snort-users mailing list