[Snort-users] Snort with AFPacket

Sec_Aficionado secaficionado at ...11827...
Tue Nov 4 10:14:18 EST 2014


It looks like snort as IPS is not going to work well with my setup. Not without major reworking of stuff that is stable and has been working for years.

The entire exercise, though, was a good learning experience for me. I understand better snort's architecture and how the different pieces fit together.

Thank you both gents for your help!

> On Nov 4, 2014, at 7:28 AM, James Lay <jlay at ...13475...> wrote:
> 
>> On Mon, 2014-11-03 at 21:26 -0500, waldo kitty wrote:
>> On 11/3/2014 8:56 PM, James Lay wrote:
>> > On Mon, 2014-11-03 at 20:44 -0500, Sec Aficionado wrote:
>> >> Great, thank you for the explanation. NFQ was indeed my next step
>> >> after trying AFPacket. AFPacket was easier to build, but I did not
>> >> realize it might have serious side effects.
>> >>
>> >>
>> >>  From the high level description of NFQ, it still works with iptables,
>> >> but in a more efficient manner?
>> >>
>> >
>> > It's.....interesting.  You have to be careful with where you place your
>> > iptables QUEUE rule for Snort to use.  Because any rules placed AFTER
>> > the QUEUE rule are not looked at....as soon as the packet hits the QUEUE
>> > rule snort will either drop it as an IPS hit, or will pass it up the
>> > stack.  So make sure you nmap the box once you put it in place...don't
>> > want any open surprises ;)
>> 
>> that's going to be fun to do... i'm extremely familiar with the setup that the 
>> OP is working with... the entire configuration is built by iptables and getting 
>> the queues in place is going to be early in the process /IF/ i'm looking at 
>> things properly... that also puts snort towards the end of all the flow instead 
>> of at the head of it unless i'm missing what you mean by "pass [the packet] up 
>> the stack"...
>> 
> 
> Yep..it's a hoot <face-wink.png>  And good call on the multiple NIC's waldo.
> 
> James
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141104/3f4e50c1/attachment.html>


More information about the Snort-users mailing list