Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] pcap DAQ does not support inline
3,711 views
Skip to first unread message
Joao Daniel Neves
Apr 22, 2013, 11:46:19 AM4/22/13
to
Hi,
I'm getting this error when running Snort in inline mode "ERROR: pcap DAQ does not support inline". I have searched on Google, but did not get any thing usefull. The point is I don't even know why this happening.
What do you suggest ?
Some informations for debugging:
My daq dir is /usr/local/lib/daq
ls /usr/local/lib/daq
daq_afpacket.la
daq_afpacket.so
daq_dump.la
daq_dump.so
daq_ipfw.la
daq_ipfw.so
daq_pcap.la
daq_pcap.so
I tryed to start Snort with
/usr/local/bin/snort -Q -i eth1 --daq-dir /usr/local/lib/daq/ -c /etc/snort/snort.conf
/usr/local/bin/snort -Q -de *--daq nfq* --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf
/usr/local/bin/snort —daq pcap -Q -c /etc/snort/snort.conf -i eth0:eth1
/usr/local/bin/snort -Q -c /etc/snort/snort.conf -i eth0:eth1
None of them worked.
Some more informations
/usr/lib/libpcap.a
/usr/lib/libpcap.so
/usr/lib/libpcap.so.0
/usr/lib/libpcap.so.0.9
/usr/lib/libpcap.so.0.9.4
/usr/lib/libpcap.so.1
/usr/lib/libpcap.so.1.3.0
/usr/lib64/libpcap.so.0
/usr/lib64/libpcap.so.0.9
/usr/lib64/libpcap.so.0.9.4
/usr/local/lib/libpcap.a
/usr/local/lib/libpcap.so
/usr/local/lib/libpcap.so.1
/usr/local/lib/libpcap.so.1.3.0
/usr/local/lib/daq/daq_pcap.la
/usr/local/lib/daq/daq_pcap.so
Maybe those multiple versions of pcap are causing the error ?
I'm getting this error when running Snort in inline mode "ERROR: pcap DAQ does not support inline". I have searched on Google, but did not get any thing usefull. The point is I don't even know why this happening.
What do you suggest ?
Some informations for debugging:
My daq dir is /usr/local/lib/daq
ls /usr/local/lib/daq
daq_afpacket.la
daq_afpacket.so
daq_dump.la
daq_dump.so
daq_ipfw.la
daq_ipfw.so
daq_pcap.la
daq_pcap.so
I tryed to start Snort with
/usr/local/bin/snort -Q -i eth1 --daq-dir /usr/local/lib/daq/ -c /etc/snort/snort.conf
/usr/local/bin/snort -Q -de *--daq nfq* --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf
/usr/local/bin/snort —daq pcap -Q -c /etc/snort/snort.conf -i eth0:eth1
/usr/local/bin/snort -Q -c /etc/snort/snort.conf -i eth0:eth1
None of them worked.
Some more informations
/usr/lib/libpcap.a
/usr/lib/libpcap.so
/usr/lib/libpcap.so.0
/usr/lib/libpcap.so.0.9
/usr/lib/libpcap.so.0.9.4
/usr/lib/libpcap.so.1
/usr/lib/libpcap.so.1.3.0
/usr/lib64/libpcap.so.0
/usr/lib64/libpcap.so.0.9
/usr/lib64/libpcap.so.0.9.4
/usr/local/lib/libpcap.a
/usr/local/lib/libpcap.so
/usr/local/lib/libpcap.so.1
/usr/local/lib/libpcap.so.1.3.0
/usr/local/lib/daq/daq_pcap.la
/usr/local/lib/daq/daq_pcap.so
Maybe those multiple versions of pcap are causing the error ?
Y M
Apr 22, 2013, 11:56:45 AM4/22/13
to
pcap does not support inline mode, it is meant for passive mode only. Instead, use afpacket for inline mode.
To make sure it is installed, run Snort as
snort --daq-list
This will return a list of the installed daq modules.
To make sure it is installed, run Snort as
snort --daq-list
This will return a list of the installed daq modules.
From: Joao Daniel Neves
Sent: 4/22/2013 6:47 PM
To: snort...@lists.sourceforge.net
Subject: [Snort-users] pcap DAQ does not support inline
Y M
Apr 24, 2013, 10:20:00 AM4/24/13
to
The two interfaces will be used by Snort, you will need a third interface for management, i.e.: ssh, database, etc.
Also don't forget to set the daq mode, look for --daq-mode
I haven't used ipfw, so i can't add on that.
Please, when you reply, reply to the entire list, everybody benefits :)
Also don't forget to set the daq mode, look for --daq-mode
I haven't used ipfw, so i can't add on that.
Please, when you reply, reply to the entire list, everybody benefits :)
HI,
YM,
/usr/local/bin/snort —daq afpacket -Q -c /etc/snort/snort.conf -i eth0:eth1
I'm using this line to start snort. As I searched afpacket need two interfaces:
"In order to have an inline deployment you need at least one pair of interfaces for the traffic to flow through. To that end, you need to specify a second interface for AFPacket to use to complete the bridge."
But for some reason when I used two interfaces things got weired. I lost SSH acess to snort. I think that the reason is because the traffic flow through one interface to another. Do you have some clues about this issue ?
My avaliable daq modules are
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
With module can I use to enable in line module without needing to specify two interfaces?
I think that it would be ipfw, but as far as I know ipfw is for bsd and I'm not using bsd.
To: joaodani...@hotmail.com; snort...@lists.sourceforge.net
From: sn...@outlook.com
Subject: RE: [Snort-users] pcap DAQ does not support inline
Date: Mon, 22 Apr 2013 18:56:45 +0300
YM,
/usr/local/bin/snort —daq afpacket -Q -c /etc/snort/snort.conf -i eth0:eth1
I'm using this line to start snort. As I searched afpacket need two interfaces:
"In order to have an inline deployment you need at least one pair of interfaces for the traffic to flow through. To that end, you need to specify a second interface for AFPacket to use to complete the bridge."
But for some reason when I used two interfaces things got weired. I lost SSH acess to snort. I think that the reason is because the traffic flow through one interface to another. Do you have some clues about this issue ?
My avaliable daq modules are
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv
With module can I use to enable in line module without needing to specify two interfaces?
I think that it would be ipfw, but as far as I know ipfw is for bsd and I'm not using bsd.
To: joaodani...@hotmail.com; snort...@lists.sourceforge.net
From: sn...@outlook.com
Subject: RE: [Snort-users] pcap DAQ does not support inline
Date: Mon, 22 Apr 2013 18:56:45 +0300
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data
science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Snort-users mailing list Snort...@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
_______________________________________________ Snort-users mailing list Snort...@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Joao Daniel Neves
Apr 24, 2013, 11:56:08 AM4/24/13
to
YM,
But if this pair of interfaces are being used to normal traffic. Example:
But if this pair of interfaces are being used to normal traffic. Example:
/usr/local/bin/snort —daq afpacket -Q -c /etc/snort/snort.conf -i eth0:eth1
if a database is listening on interface eth1, I cant acess this database. I cant acess anything listening on eth0 and eth1.
Will I need and a pair of 'idle' interfaces?
Will I need and a pair of 'idle' interfaces?
Date: Wed, 24 Apr 2013 17:20:00 +0300
Y M
Apr 24, 2013, 12:15:39 PM4/24/13
to
eth0 and eth1 will be used by Snort only to pass traffic inline.
The third interface I mentioned earlier; eth2 will be used for management. In this case you will not be interfering with the traffic.
The third interface I mentioned earlier; eth2 will be used for management. In this case you will not be interfering with the traffic.
Joao Daniel Neves
Apr 24, 2013, 3:11:17 PM4/24/13
to
YM
I'm a bit ashamed. What I cant understand is if I'm running Snort in a router and eth0 and eth1 are been used to route packages, I will not be able to use Snort inline mode with this scenario?
I tried (on a test enviroment) and it doesn't seems to work.
I think I may be doing something wrong.
I'm a bit ashamed. What I cant understand is if I'm running Snort in a router and eth0 and eth1 are been used to route packages, I will not be able to use Snort inline mode with this scenario?
I tried (on a test enviroment) and it doesn't seems to work.
I think I may be doing something wrong.
To: joaodani...@hotmail.com
CC: snort...@lists.sourceforge.net
From: sn...@outlook.com
Subject: RE: [Snort-users] pcap DAQ does not support inline
Date: Wed, 24 Apr 2013 19:15:39 +0300
Michael Altizer
Apr 24, 2013, 3:36:09 PM4/24/13
to
You will not be able to use the
AFPacket DAQ module in that scenario. The AFPacket DAQ module
manually forwards packets completely unmodified back and forth
across an interface pair (or pairs) when it is in inline mode
(unless Snort modifies the packet). This means there will be no
routing decisions, MAC address updates, or TTL drecrements
involved. Also, if you're actively having the OS do the routing
(or bridging), you will end up with duplicate packets being
generated by the box. AFPacket operates on copies of packets
received on a given interface, and may then send out a packet
based on that copy in inline mode if the packet was not dropped,
all of which happens in parallel with any other processing the OS
is doing with the original packet.
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Joao Daniel Neves
Apr 24, 2013, 3:47:12 PM4/24/13
to
maltizer,
Thank you so much! It was very enlightening.
All inline modes needs a pair of interfaces? What would you suggest on this scenario ?
Date: Wed, 24 Apr 2013 15:36:09 -0400
From: malt...@sourcefire.com
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] pcap DAQ does not support inline
Thank you so much! It was very enlightening.
All inline modes needs a pair of interfaces? What would you suggest on this scenario ?
Date: Wed, 24 Apr 2013 15:36:09 -0400
From: malt...@sourcefire.com
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] pcap DAQ does not support inline
Michael Altizer
Apr 25, 2013, 12:08:38 PM4/25/13
to
For Linux, your best bet is the NFQ DAQ
module. See the README in the DAQ tarball for pointers on
NFQ/IPTables.
0 new messages