[Snort-users] Snort inline

Al Lewis (allewi) allewi at cisco.com
Thu Mar 7 13:34:19 EST 2019


Hello,

See the readme file that comes with the daq download for complete details…


AFPACKET Module
===============

afpacket functions similar to the pcap DAQ but with better performance:

    ./snort --daq afpacket -i <device>
            [--daq-var buffer_size_mb=<#MB>]
            [--daq-var debug]

If you want to run afpacket in inline mode, you must craft the device string as
one or more interface pairs, where each member of a pair is separated by a
single colon and each pair is separated by a double colon like this:

    eth0:eth1

or this:

    eth0:eth1::eth2:eth3

By default, the afpacket DAQ allocates 128MB for packet memory.  You can change
this with:

    --daq-var buffer_size_mb=<#MB>

Note that the total allocated is actually higher, here's why.  Assuming the
default packet memory with a snaplen of 1518, the numbers break down like this:

* The frame size is 1518 (snaplen) + the size of the AFPacket header (66
  bytes) = 1584 bytes.

* The number of frames is 128 MB / 1518 = 84733.

* The smallest block size that can fit at least one frame is  4 KB = 4096 bytes
  @ 2 frames per block.

* As a result, we need 84733 / 2 = 42366 blocks.

* Actual memory allocated is 42366 * 4 KB = 165.5 MB.

NOTE: Linux kernel version 2.6.31 or higher is required for the AFPacket DAQ
module due to its dependency on both TPACKET v2 and PACKET_TX_RING support.

Thanks.

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi at cisco.com<mailto:allewi at cisco.com>


From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Lucero Guerrero Flores <lucero.guerrero at ipicyt.edu.mx>
Date: Thursday, March 7, 2019 at 12:56 PM
To: "snort-users at lists.snort.org" <snort-users at lists.snort.org>
Subject: [Snort-users] Snort inline


Dear. Could you help me know how to configure snort ids to snort inline with daq af_packets? I have installed Snort 3 on Ubuntu server 18.04. Thank you.

--
--
   TSU. Lucero Guerrero Flores
   Analista de seguridad informática


    Instituto Potosino de Investigación Científica y Tecnológica, A.C.


    Camino a la Presa San José 2055, Lomas 4a. secc.


   Ext.2716  Cel. (444)1206676




   [Resultado de imagen para imagen  de cns-ipicyt]



    www.cns-ipicyt.mx<http://www.cns-ipicyt.mx/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190307/84439b0c/attachment.html>


More information about the Snort-users mailing list