[Snort-users] Snort with AFPacket

James Lay jlay at ...13475...
Mon Nov 3 20:56:34 EST 2014

On Mon, 2014-11-03 at 20:44 -0500, Sec Aficionado wrote:
> Great, thank you for the explanation. NFQ was indeed my next step
> after trying AFPacket. AFPacket was easier to build, but I did not
> realize it might have serious side effects.
> From the high level description of NFQ, it still works with iptables,
> but in a more efficient manner?

It's.....interesting.  You have to be careful with where you place your
iptables QUEUE rule for Snort to use.  Because any rules placed AFTER
the QUEUE rule are not looked at....as soon as the packet hits the QUEUE
rule snort will either drop it as an IPS hit, or will pass it up the
stack.  So make sure you nmap the box once you put it in place...don't
want any open surprises ;)


More information about the Snort-users mailing list