[Snort-users] Odp: Re: Odp: Re: Odp: RE: React option doesn't work

Robert Lasota wrkilu at ...3879...
Fri Mar 27 15:18:38 EDT 2015


Dnia Piątek, 27 Marca 2015 20:02 Victor Roemer <viroemer at ...589...> napisał(a)
> Robert,
>  
> Can you review your daq options please; looking at the README from the
> daq tar.gz, it looks like you need to add:
>  
> --daq-var device=<dev>
>  
> Here is a snippet that I am refering too
>  
> -------- 8< -------
> NFQ Module
> ==========
>  
> NFQ is the new and improved way to process iptables packets:
>  
>      ./snort --daq nfq \
>          [--daq-var device=<dev>] \
>          [--daq-var proto=<proto>] \
>          [--daq-var queue=<qid>]
>  
>      <dev> ::= ip | eth0, etc; default is IP injection
>      <proto> ::= ip4 | ip6 |; default is ip4
>      <qid> ::= 0..65535; default is 0
>  
> This module can not run unprivileged so ./snort -u -g will produce a warning
> and won't change user or group.
>  
> ----- 8< -----


Well, 
1. this Snort is working on router in inline mode, so that means it gets packets from:
$iptables -I FORWARD -p tcp --dport 80 -j QUEUE
so it needn't to set any interface 

behind this router is computer on which I'm testing 

2. besides, the same is writed here (NFQ section)
http://www.academia.edu/7084691/IPS_Packet_Acquisition_PCAP_AFPACKET_NFQ_NFQ_IPS_Action_replace










More information about the Snort-users mailing list