Evani if you run snort in ips mode (for instance I usually use --daq pfring --daq-mode inline -i ethX:ethY), the pfring-daq will not forward packets when snort returns a negative verdict, I do not know what you mean with “fails to drop”.
Alfredo > On 23 Sep 2015, at 14:12, Evani Sitaram <[email protected]> wrote: > > Hi Alfredo, > Sorry for the trouble ,As per your suggestion i tired to configure > daq_pfring (daq_pfring.so and daq_pfring.la <http://daq_pfring.la/>) and > snort IPS mode i was only able to capture packets but snort fails to drop the > packets inline. > > Command for running Snort in IPS mode (daq_pfring) : > > snort --daq-dir=/usr/local/lib/daq --daq pfring -i ethX:ethY -e -Q > > Thanks And Regards, > Evani Ram > > > > > On Wed, Sep 23, 2015 at 3:39 PM, Alfredo Cardigliano <[email protected] > <mailto:[email protected]>> wrote: > Hi Evani > as I said just use our daq in ips mode. > > Alfredo > >> On 23 Sep 2015, at 12:01, Evani Sitaram <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello Alfredo, >> Thank you for the timely reply, I am able to drop the packets using DAQ >> module (NFQ) with Snort IPS . For example , if i want to block/drop traffic >> to a site (facebook , youtube ,etc) i am able to do it with DAQ(NFQ) >> module.Now, is there any possibility to drop packets with pf_ring along >> with Snort IPS. >> >> >> lspci | grep Eth >> >> 01:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> 01:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> 02:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> 02:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> 04:00.0 Ethernet controller: Qualcomm Atheros Killer E2200 Gigabit Ethernet >> Controller (rev 13) ( I am not using this last Ethernet Controller) >> >> On Wed, Sep 23, 2015 at 1:33 PM, Alfredo Cardigliano <[email protected] >> <mailto:[email protected]>> wrote: >> >>> On 23 Sep 2015, at 06:54, Evani Sitaram <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hi, >>> i am Evani Ram,i am working for my final year project and i am new to >>> pf_ring and snort , i have a couple of queries regarding pf_ring. >>> >>> 1) Firstly, is it possible to drop packets using pf_ring ? if yes, how to >>> configure pf_ring in order to drop packets. (alert is working in pf_ring) >>> >>> i am using this command to drop the packets but its only capture the >>> packets and logging. i am using pf_ring aware driver. >>> >>> Command : >>> /snort/bin/snort -Q -c /snort/etc/snort.conf -d --treat-drop-as-alert >>> --daq pfring --daq-dir /pfring/lib/daq -l /logs -i eth0:eth1 & >> >> Do you mean you want to use it inline dropping packets? You just need to run >> snort in IPS mode using our DAQ module, please take a look at the README >> >>> 2) Secondly, what is the hardware architecture supported for using pf_ring >>> and can you suggest minimum required configuration for dropping packets. >> >> With standard drivers you can use any NIC, almost all Intel NICs are also >> supported in Zero-Copy mode for line-rate. >> >>> ( i am using using Intel PRO /1000 PT DUAL PORT NiC card for traffic flow) >> >> Can I see "lspci | grep Eth"? >> >> Regards >> Alfredo >> >>> >>> Thanks And Regards, >>> Evani Ram. >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] <mailto:[email protected]> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> > > _______________________________________________ > Ntop-misc mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
