[Snort-users] Fwd: IPS Inline Mode

Erdem Çulcu erdem at ...16870...
Fri Jun 20 06:43:24 EDT 2014


---------- Forwarded message ----------
From: Erdem Çulcu <erdem at ...16870...>
Date: Fri, Jun 20, 2014 at 1:42 PM
Subject: Re: [Snort-users] IPS Inline Mode
To: Meysam Farazmand <farazmand.meisam at ...11827...>


Hi Meysam,

I installed these libs  and  libdnet-1.12.

[image: Inline image 1]

And I run --daq-list command

Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v2): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

Snort gives this response.

On Fri, Jun 20, 2014 at 12:32 PM, Meysam Farazmand <
farazmand.meisam at ...11827...> wrote:

> Hi Erdem,
>
> Did you installed nfq library from netfilter.org?
> On Jun 20, 2014 1:55 PM, "Erdem Çulcu" <erdem at ...16870...> wrote:
>
>> Hi,
>>
>> I am new on Snort
>>
>> I installed with guide and run IDS mode.
>>
>> I have two problems.
>>
>> Firstly, Snort handle only host machine packets. I write some rules
>> example:
>> alert tcp any any -> any any (content:"www.facebook.com";msg:"Facebook
>> Accessing";sid:1000001;)
>>
>> This rule works only machine which installed Snort. Other machines
>> accesses are not handled.
>>
>> Other problem is Inline Mode.
>>
>> I run with this command
>>
>> snort --daq nfq -Q -c /etc/snort/snort.conf  --daq-dir /usr/local/lib/daq
>> --daq-var device=eth0 -i eth0
>>
>> Snort gives this error
>>
>> ERROR: Can't initialize DAQ nfq (-7) - The nfq DAQ module does not
>> support interface or readback mode!
>>
>> If I remove "-i eth0", Snort works but do not handle any packets
>>
>> Thanks for replies
>>
>> Good Works
>>
>>
>> ------------------------------------------------------------------------------
>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>> Find What Matters Most in Your Big Data with HPCC Systems
>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>> http://p.sf.net/sfu/hpccsystems
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140620/246b13b1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1. Step.png
Type: image/png
Size: 281703 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140620/246b13b1/attachment.png>


More information about the Snort-users mailing list