Hi Alfredo,
Sorry for the trouble ,As per your suggestion i tired to configure
daq_pfring (daq_pfring.so and daq_pfring.la) and snort IPS mode i was only
able to capture packets but snort fails to drop the packets inline.
Command for running Snort in IPS mode (daq_pfring) :
*snort --daq-dir=/usr/local/lib/daq --daq pfring -i ethX:ethY -e -Q*
Thanks And Regards,
Evani Ram
On Wed, Sep 23, 2015 at 3:39 PM, Alfredo Cardigliano <[email protected]>
wrote:
> Hi Evani
> as I said just use our daq in ips mode.
>
> Alfredo
>
> On 23 Sep 2015, at 12:01, Evani Sitaram <[email protected]> wrote:
>
> Hello Alfredo,
> Thank you for the timely reply, I am able to drop the packets using
> DAQ module (NFQ) with Snort IPS . For example , if i want to block/drop
> traffic to a site (facebook , youtube ,etc) i am able to do it with
> DAQ(NFQ) module.Now, is there any possibility to drop packets with
> pf_ring along with Snort IPS.
>
>
> lspci | grep Eth
>
> 01:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
> Controller (rev 06)
> 01:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
> Controller (rev 06)
> 02:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
> Controller (rev 06)
> 02:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet
> Controller (rev 06)
> 04:00.0 Ethernet controller: Qualcomm Atheros Killer E2200 Gigabit
> Ethernet Controller (rev 13) ( I am not using this last Ethernet Controller)
>
> On Wed, Sep 23, 2015 at 1:33 PM, Alfredo Cardigliano <[email protected]
> > wrote:
>
>>
>> On 23 Sep 2015, at 06:54, Evani Sitaram <[email protected]> wrote:
>>
>> Hi,
>> i am Evani Ram,i am working for my final year project and i am new to
>> pf_ring and snort , i have a couple of queries regarding pf_ring.
>>
>> 1) Firstly, is it possible to drop packets using pf_ring ? if yes, how
>> to configure pf_ring in order to drop packets. (alert is working in
>> pf_ring)
>>
>> i am using this command to drop the packets but its only capture the
>> packets and logging. i am using pf_ring aware driver.
>>
>> Command :
>> * /snort/bin/snort -Q -c /snort/etc/snort.conf -d --treat-drop-as-alert
>> --daq pfring --daq-dir /pfring/lib/daq -l /logs -i eth0:eth1 &*
>>
>>
>> Do you mean you want to use it inline dropping packets? You just need to
>> run snort in IPS mode using our DAQ module, please take a look at the README
>>
>> 2) Secondly, what is the hardware architecture supported for using
>> pf_ring and can you suggest minimum required configuration for dropping
>> packets.
>>
>>
>> With standard drivers you can use any NIC, almost all Intel NICs are also
>> supported in Zero-Copy mode for line-rate.
>>
>> ( i am using using *Intel PRO /1000 PT DUAL PORT* NiC card for traffic
>> flow)
>>
>>
>> Can I see "lspci | grep Eth"?
>>
>> Regards
>> Alfredo
>>
>>
>> Thanks And Regards,
>> Evani Ram.
>> _______________________________________________
>> Ntop-misc mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>>
>>
>> _______________________________________________
>> Ntop-misc mailing list
>> [email protected]
>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
