[Snort-users] IPS Inline Mode

Y M snort at ...15979...
Tue Jun 24 16:36:02 EDT 2014


Check this guide out for running Snort inline with NFQ: http://s3.amazonaws.com/snort-org/www/assets/229/ids2ips.txt

Date: Fri, 20 Jun 2014 13:54:20 +0300
From: erdem at ...16870...
To: farazmand.meisam at ...11827...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] IPS Inline Mode

I run with your command. I told you in previous messages. Snort doesnt capture any packets with this command,
And Result 
Run time for packet processing was 22.16156 seconds
Snort processed 0 packets.Snort ran for 0 days 0 hours 0 minutes 22 seconds   Pkts/sec:            0


On Fri, Jun 20, 2014 at 1:50 PM, Meysam Farazmand <farazmand.meisam at ...13610...7...> wrote:

Hi Erdem,
Maybe it would better to install snort and dependencies from source. But no matter. Run snort with this command:
snort -v -c /etc/snort/snort.conf -Q --daq nfq --daq-var device=eth0
I put my snort config file in /etc/snort. So if you put it in another location, change it in the above command. Also note to enable nfq daq in snort config file.
On Jun 20, 2014 3:12 PM, "Erdem Çulcu" <erdem at ...16870...> wrote:


Hi Meysam,
I installed these libs  and  libdnet-1.12. 





And I run --daq-list command 
Available DAQ modules:


pcap(v3): readback live multi unprivnfq(v7): live inline multiipfw(v3): live inline multi unprivdump(v2): readback live inline multi unpriv


afpacket(v5): live inline multi unpriv
Snort gives this response.
On Fri, Jun 20, 2014 at 12:32 PM, Meysam Farazmand <farazmand.meisam at ...14540...27...> wrote:



Hi Erdem,
Did you installed nfq library from netfilter.org?
On Jun 20, 2014 1:55 PM, "Erdem Çulcu" <erdem at ...16870...> wrote:


Hi, 
I am new on Snort
I installed with guide and run IDS mode.
I have two problems. 
Firstly, Snort handle only host machine packets. I write some rules example:




alert tcp any any -> any any (content:"www.facebook.com";msg:"Facebook Accessing";sid:1000001;)
This rule works only machine which installed Snort. Other machines accesses are not handled.





Other problem is Inline Mode.
I run with this command 
snort --daq nfq -Q -c /etc/snort/snort.conf  --daq-dir /usr/local/lib/daq --daq-var device=eth0 -i eth0






Snort gives this error
ERROR: Can't initialize DAQ nfq (-7) - The nfq DAQ module does not support interface or readback mode!
If I remove "-i eth0", Snort works but do not handle any packets





Thanks for replies
Good Works

------------------------------------------------------------------------------

HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions

Find What Matters Most in Your Big Data with HPCC Systems

Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.

Leverages Graph Analysis for Fast Processing & Easy Data Exploration

http://p.sf.net/sfu/hpccsystems
_______________________________________________

Snort-users mailing list

Snort-users at lists.sourceforge.net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!







------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140624/adc63340/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1. Step.png
Type: image/png
Size: 281703 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140624/adc63340/attachment.png>


More information about the Snort-users mailing list