[Snort-users] IPS using DAQ AFPacket problems

Al Lewis (allewi) allewi at ...589...
Mon Jan 12 18:08:27 EST 2015


Example using a generic "any/any" rule...

[root at ...274... snort-2.9.8.0-build_49]# ./bin/snort -c etc/test.conf --daq afpacket -i p2p1:p7p1 -A cmg -q

01/12-18:05:48.374764  [**] [1:1000001:0] ALERTS!!! [**] [Priority: 0] {TCP} 192.168.0.120:53520 -> 74.125.228.118:443
01/12-18:05:48.374764 00:22:FA:8D:0E:AA -> 2A:30:44:11:DE:6E type:0x800 len:0x59A
192.168.0.120:53520 -> 74.125.228.118:443 TCP TTL:64 TOS:0x0 ID:37508 IpLen:20 DgmLen:1420 DF
***A**** Seq: 0x867572FE  Ack: 0x4B8CD23A  Win: 0xDD  TcpLen: 32
TCP Options (3) => NOP NOP TS: 11818143 2647066184
17 03 02 0B 51 D0 35 82 9C C1 25 C9 D3 EB 26 8C  ....Q.5...%...&.
62 F4 96 9C 20 88 DE 01 EC 0A D8 30 F1 44 AB 77  b... ......0.D.w
E7 24 C2 E8 30 05 2E B0 02 12 CE 12 B1 51 AF D7  .$..0........Q..
7E FB B7 9A 2F F5 DD 18 A3 4E 48 1B 12 57 A0 D5  ~.../....NH..W..
BA 01 F6 01 30 11 82 4A 16 39 C9 A9 99 6D 22 09  ....0..J.9...m".
4F FA 71 D4 4B A2 53 5B 40 B6 3C 00 32 95 3C 98  O.q.K.S[@.<.2.<.
5E CE 9A FB 86 AA 28 DF E3 61 7C 90 FF BB 12 41  ^.....(..a|....A
A8 E4 41 1C 04 5E A0 F0 04 26 25 F0 D0 07 B6 19  ..A..^...&%.....
ED C3 86 56 DE 6B 8E 70 D5 FE A8 88 80 AE EA 74  ...V.k.p.......t
0A 4A E8 1B F3 B2 0B 6E 8E 06 64 84 17 BC 18 CC  .J.....n..d.....
3E BB F9 59 E3 9B B8 0C E5 ED E3 D6 94 39 65 6F  >..Y.........9eo
6E 7B 46 6E C9 90 27 FB D9 A7 7A E3 CA 6B 7F 28  n{Fn..'...z..k.(
85 F4 CE 30 17 AB A0 D1 37 C5 C8 C4 3C B2 9A 59  ...0....7...<..Y
70 A4 EE 91 19 A0 CC 63 A0 CF FC 15 77 13 FE 08  p......c....w...
EF 08 43 1E FD BA EA 1D 35 B3 4B E0 E4 77 BB 20  ..C.....5.K..w.
64 4E AC 83 CC D4 BE F4 8C 1B DE 58 0F CF 44 E7  dN.........X..D.
6A 9F 6C B5 AF 74 79 77 1C 23 7C 6B 18 EE 1A D8  j.l..tyw.#|k....
91 2D CC 05 67 6F AD C6 92 83 6A 40 83 DA 90 33  .-..go....j at ...3046...
28 C1 79 6E 83 08 12 FF 11 D3 F8 17 A2 6C 55 50  (.yn.........lUP
E3 BD 35 08 1F A4 B4 E9 E0 2A 78 09 D6 88 0B F4  ..5......*x.....
57 6A 83 52 94 DA 86 1F C5 08 DA EC E2 D7 BF 08  Wj.R............
C5 2B B9 40 6A 75 26 58 93 18 BD F1 9D 32 47 8C  .+. at ...17065...&X.....2G.
8C A3 41 71 7D C9 E6 FC 8B F6 16 4D 9C BA DF D3  ..Aq}......M....
9C CF 07 56 46 A3 A4 46 82 29 9B 7D 66 5E 54 CF  ...VF..F.).}f^T.
36 C4 D1 AF 43 E1 BB 82 C2 DD F5 A0 A8 E1 16 D9  6...C...........
21 34 70 89 8A BD D1 8F 1E 03 F1 C5 2F 51 F7 F6  !4p........./Q..
E0 8E 36 1D 49 85 B0 0B A7 75 3B 20 72 5E C2 BD  ..6.I....u; r^..
2C 07 83 E6 52 AF B2 3A F7 C1 00 8D D8 D3 27 AF  ,...R..:......'.
31 64 25 0E BF 60 7A CF 6A DB CC 90 B4 29 06 05  1d%..`z.j....)..
F0 58 6A B2 12 48 22 53 98 86 95 15 EF 79 23 22  .Xj..H"S.....y#"
A7 62 F0 15 46 73 27 77 14 98 3B E5 20 7A B1 4C  .b..Fs'w..;. z.L


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Al Lewis (allewi)
Sent: Monday, January 12, 2015 6:01 PM
To: Jake Hann; 'Y M'
Cc: 'snort-users'
Subject: Re: [Snort-users] IPS using DAQ AFPacket problems

The command should be:

sudo /usr/local/bin/snort -A console -u snort -u snort -c /etc/snort/snort.conf  --daq afpacket -i eth0:eth1


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Jake Hann [mailto:jake at ...17053...]
Sent: Monday, January 12, 2015 5:16 PM
To: 'Y M'
Cc: 'snort-users'
Subject: Re: [Snort-users] IPS using DAQ AFPacket problems

Okay, I have my environment setup again. I am running this command to test and debug:

sudo /usr/local/bin/snort -A console -u snort -u snort -c /etc/snort/snort.conf -i eth0:eth1 -Q

One it gets to Decoding Ethernet, snort just dies. I haven't been able to figure out why. Thanks for your help.

From: Y M [mailto:snort at ...15979...]
Sent: Thursday, January 01, 2015 1:15 AM
To: Jake Hann
Cc: snort-users
Subject: RE: IPS using DAQ AFPacket problems


________________________________

What exactly not working? Are you receiving any sort of errors? Please share your snort.conf and the command you use to run Snort so we can take a look.

Please keep the posts on the list.

YM
________________________________
From: jake at ...17053...<mailto:jake at ...17053...>
To: snort at ...15979...<mailto:snort at ...15979...>
Subject: IPS using DAQ AFPacket problems
Date: Wed, 31 Dec 2014 14:45:05 -0700
I successfully setup snort using one of the guides on snort.org. I was trying to now turn it into an inline IPS using the Snort IPS using DAQ AFPacket guide and it is not working. I followed all the steps to no avail. I have done some poking around the internet but have not been able to find anyone who can help me with my problem. Where would you recommend I go for help. Thank you.

Jake Hann
Information Technician
Heartland Pharmacy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150112/ae005039/attachment.html>


More information about the Snort-users mailing list