[Snort-users] listing daq-vars and confirming the cluster type of pfring

Michael Altizer xiche at ...3147...
Mon May 29 13:45:11 EDT 2017


First of all, DAQ variables will never directly affect or configure 
Snort, they are purely a construct of the DAQ module being used.  In the 
current version of libDAQ there is no way to query a DAQ module for 
variables that it supports, so the best you can do is either look at the 
source or the documentation for the particular module to determine which 
variables may be set and the effect of doing so.  As you probably know, 
to pass a DAQ variable through Snort to the DAQ module, use the 
--daq-var command line option in the form of "variable_name" (to define 
the variable with a null value) or "variable_name=value" (to define the 
variable with a value).  If you really want to confirm anything that a 
particular DAQ module is doing, you will need to at least examine the 
code and potentially add some debug logging and recompile to be 
absolutely sure.

On 05/12/2017 09:25 AM, Charlie Dyer wrote:
> Hello list
>
> Could someone tell me if there is a way of listing all the variables you
> can pass to the daq-vars option?
> I've tried looking in various header files but can't find anything.
> The reason I ask is to confirm what type of clustering pf_ring is using and
> whether you can tell it to use one type or the other. As I understand it
> from reading the pfring code, the type is either round-robin (the default)
> or flow-5-tuple, how can I tell snort/pfring/daq to use flow-5-tuple?
> It would be good to understand what all the daq-var variable are and what
> they do/how they affect snort.
>
> Many thanks in advance
>
> Charles





More information about the Snort-users mailing list