[Snort-users] Snort with AFPacket

James Lay jlay at ...13475...
Tue Nov 4 07:28:22 EST 2014


On Mon, 2014-11-03 at 21:26 -0500, waldo kitty wrote:

> On 11/3/2014 8:56 PM, James Lay wrote:
> > On Mon, 2014-11-03 at 20:44 -0500, Sec Aficionado wrote:
> >> Great, thank you for the explanation. NFQ was indeed my next step
> >> after trying AFPacket. AFPacket was easier to build, but I did not
> >> realize it might have serious side effects.
> >>
> >>
> >>  From the high level description of NFQ, it still works with iptables,
> >> but in a more efficient manner?
> >>
> >
> > It's.....interesting.  You have to be careful with where you place your
> > iptables QUEUE rule for Snort to use.  Because any rules placed AFTER
> > the QUEUE rule are not looked at....as soon as the packet hits the QUEUE
> > rule snort will either drop it as an IPS hit, or will pass it up the
> > stack.  So make sure you nmap the box once you put it in place...don't
> > want any open surprises ;)
> 
> that's going to be fun to do... i'm extremely familiar with the setup that the 
> OP is working with... the entire configuration is built by iptables and getting 
> the queues in place is going to be early in the process /IF/ i'm looking at 
> things properly... that also puts snort towards the end of all the flow instead 
> of at the head of it unless i'm missing what you mean by "pass [the packet] up 
> the stack"...
> 


Yep..it's a hoot ;)  And good call on the multiple NIC's waldo.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141104/9a23adc1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: face-wink.png
Type: image/png
Size: 919 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141104/9a23adc1/attachment.png>


More information about the Snort-users mailing list