Hello Alfredo, Currently what I doing is I am running snort to verify the packets and if any packets match my snort rules then I am are using pfring to drop the packets(move them to a folder, this is what I mean by fails to drop) so that i can perform some analysis on these packets. However currently I am able to do so with DAQ but not with PFRING. Is this currently possible with PFRING? Can you please provide me with some insight in this matter as we would like to use this product to finish configuring my system. Any help you can provide will be extremely appreciated.
Thanks Evani On Wed, Sep 23, 2015 at 5:53 PM, Alfredo Cardigliano <[email protected]> wrote: > Evani > if you run snort in ips mode (for instance I usually use --daq pfring > --daq-mode inline -i ethX:ethY), the pfring-daq > will not forward packets when snort returns a negative verdict, I do not > know what you mean with “fails to drop”. > > Alfredo > > On 23 Sep 2015, at 14:12, Evani Sitaram <[email protected]> wrote: > > Hi Alfredo, > Sorry for the trouble ,As per your suggestion i tired to configure > daq_pfring (daq_pfring.so and daq_pfring.la) and snort IPS mode i was > only able to capture packets but snort fails to drop the packets inline. > > Command for running Snort in IPS mode (daq_pfring) : > > *snort --daq-dir=/usr/local/lib/daq --daq pfring -i ethX:ethY -e -Q* > > Thanks And Regards, > Evani Ram > > > > > On Wed, Sep 23, 2015 at 3:39 PM, Alfredo Cardigliano <[email protected] > > wrote: > >> Hi Evani >> as I said just use our daq in ips mode. >> >> Alfredo >> >> On 23 Sep 2015, at 12:01, Evani Sitaram <[email protected]> wrote: >> >> Hello Alfredo, >> Thank you for the timely reply, I am able to drop the packets using >> DAQ module (NFQ) with Snort IPS . For example , if i want to block/drop >> traffic to a site (facebook , youtube ,etc) i am able to do it with >> DAQ(NFQ) module.Now, is there any possibility to drop packets with >> pf_ring along with Snort IPS. >> >> >> lspci | grep Eth >> >> 01:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> 01:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> 02:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> 02:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >> Controller (rev 06) >> 04:00.0 Ethernet controller: Qualcomm Atheros Killer E2200 Gigabit >> Ethernet Controller (rev 13) ( I am not using this last Ethernet Controller) >> >> On Wed, Sep 23, 2015 at 1:33 PM, Alfredo Cardigliano < >> [email protected]> wrote: >> >>> >>> On 23 Sep 2015, at 06:54, Evani Sitaram <[email protected]> wrote: >>> >>> Hi, >>> i am Evani Ram,i am working for my final year project and i am new >>> to pf_ring and snort , i have a couple of queries regarding pf_ring. >>> >>> 1) Firstly, is it possible to drop packets using pf_ring ? if yes, how >>> to configure pf_ring in order to drop packets. (alert is working in >>> pf_ring) >>> >>> i am using this command to drop the packets but its only capture the >>> packets and logging. i am using pf_ring aware driver. >>> >>> Command : >>> * /snort/bin/snort -Q -c /snort/etc/snort.conf -d --treat-drop-as-alert >>> --daq pfring --daq-dir /pfring/lib/daq -l /logs -i eth0:eth1 &* >>> >>> >>> Do you mean you want to use it inline dropping packets? You just need to >>> run snort in IPS mode using our DAQ module, please take a look at the README >>> >>> 2) Secondly, what is the hardware architecture supported for using >>> pf_ring and can you suggest minimum required configuration for dropping >>> packets. >>> >>> >>> With standard drivers you can use any NIC, almost all Intel NICs are >>> also supported in Zero-Copy mode for line-rate. >>> >>> ( i am using using *Intel PRO /1000 PT DUAL PORT* NiC card for traffic >>> flow) >>> >>> >>> Can I see "lspci | grep Eth"? >>> >>> Regards >>> Alfredo >>> >>> >>> Thanks And Regards, >>> Evani Ram. >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >>> >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc >
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
