Hello Alfredo,
As per your suggestion, i have executed command of snort with
daq-pfring , i'm getting the following results but the packets are not
being dropped (Pkts Drop: 0).
Command :
*snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf -i
ethX:ethY -e -Q*
Snort Realtime Performance
--------------------------
Pkts Recv: 18707
Pkts Drop: 0
% Dropped: 0.000%
Block Verdict: 1409
Injected: 0
Pkts Filtered TCP: 0
Pkts Filtered UDP: 0
my snort rule is :
drop tcp any any -> any any ( content : "facebook" ; msg :
"Facebook is Blocked" ; sid : 200001 ; rev : 1;react:block;).
I am attaching screen shot of the log data.kindly review it. Any help you
can provide will be extremely appreciated.
Action Stats :
Alerts : 22( 0.047%)
Logged : 22( 0.047%)
Passed : 22( 0.047%)
Limits :
Match : 0
Queue : 0
Log : 4
Event : 0
Alert : 0
Verdicts :
Allow : 36191 (76.891%)
Block : 4534 (9.633%)
Replace : 0
*Whitelist: 599(1.273%)*
* Blackllist: 5744(12.204%)*
Thanks,
Evani Ram
On Mon, Sep 28, 2015 at 12:42 PM, Evani Sitaram <[email protected]>
wrote:
> Hello Alfredo,
> As per your suggestion, i have executed command of snort with
> daq-pfring , i'm getting the following results but the packets are not
> being dropped (Pkts Drop: 0).
>
> Command :
> *snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf
> -i ethX:ethY -e -Q*
>
> Snort Realtime Performance
> --------------------------
> Pkts Recv: 18707
> Pkts Drop: 0
> % Dropped: 0.000%
> Block Verdict: 1409
> Injected: 0
> Pkts Filtered TCP: 0
> Pkts Filtered UDP: 0
>
>
> my snort rule is :
>
> drop tcp any any -> any any ( content : "facebook" ; msg :
> "Facebook is Blocked" ; sid : 200001 ; rev : 1;react:block;).
>
> I am attaching screen shot of the log data.kindly review it. Any help
> you can provide will be extremely appreciated.
>
>
> Thanks,
> Evani Ram
>
> On Mon, Sep 28, 2015 at 12:36 PM, Evani Sitaram <[email protected]>
> wrote:
>
>> Hello Alfredo,
>> As per your suggestion, i have executed command of snort with
>> daq-pfring , i'm getting the following results but the packets are not
>> being dropped (Pkts Drop: 0).
>>
>> Command :
>> *snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf
>> -i ethX:ethY -e -Q*
>>
>> Snort Realtime Performance
>> --------------------------
>> Pkts Recv: 18707
>> Pkts Drop: 0
>> % Dropped: 0.000%
>> Block Verdict: 1409
>> Injected: 0
>> Pkts Filtered TCP: 0
>> Pkts Filtered UDP: 0
>>
>>
>> my snort rule is :
>>
>> drop tcp any any -> any any ( content : "facebook" ; msg :
>> "Facebook is Blocked" ; sid : 200001 ; rev : 1;react:block;).
>>
>> I am attaching screen shot of the log data.kindly review it. Any help
>> you can provide will be extremely appreciated.
>>
>>
>> Thanks,
>> Evani Ram
>>
>> On Thu, Sep 24, 2015 at 9:52 AM, Evani Sitaram <[email protected]>
>> wrote:
>>
>>> Hello Alfredo,
>>>
>>> Currently what I doing is I am running snort to verify the packets
>>> and if any packets match my snort rules then I am are using pfring to drop
>>> the packets(move them to a folder, this is what I mean by fails to drop) so
>>> that i can perform some analysis on these packets. However currently I am
>>> able to do so with DAQ but not with PFRING. Is this currently possible
>>> with PFRING? Can you please provide me with some insight in this matter as
>>> we would like to use this product to finish configuring my system. Any help
>>> you can provide will be extremely appreciated.
>>>
>>> Thanks
>>> Evani
>>>
>>> On Wed, Sep 23, 2015 at 5:53 PM, Alfredo Cardigliano <
>>> [email protected]> wrote:
>>>
>>>> Evani
>>>> if you run snort in ips mode (for instance I usually use --daq pfring
>>>> --daq-mode inline -i ethX:ethY), the pfring-daq
>>>> will not forward packets when snort returns a negative verdict, I do
>>>> not know what you mean with “fails to drop”.
>>>>
>>>> Alfredo
>>>>
>>>> On 23 Sep 2015, at 14:12, Evani Sitaram <[email protected]> wrote:
>>>>
>>>> Hi Alfredo,
>>>> Sorry for the trouble ,As per your suggestion i tired to configure
>>>> daq_pfring (daq_pfring.so and daq_pfring.la) and snort IPS mode i was
>>>> only able to capture packets but snort fails to drop the packets inline.
>>>>
>>>> Command for running Snort in IPS mode (daq_pfring) :
>>>>
>>>> *snort --daq-dir=/usr/local/lib/daq --daq pfring -i ethX:ethY -e -Q*
>>>>
>>>> Thanks And Regards,
>>>> Evani Ram
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Sep 23, 2015 at 3:39 PM, Alfredo Cardigliano <
>>>> [email protected]> wrote:
>>>>
>>>>> Hi Evani
>>>>> as I said just use our daq in ips mode.
>>>>>
>>>>> Alfredo
>>>>>
>>>>> On 23 Sep 2015, at 12:01, Evani Sitaram <[email protected]> wrote:
>>>>>
>>>>> Hello Alfredo,
>>>>> Thank you for the timely reply, I am able to drop the packets
>>>>> using DAQ module (NFQ) with Snort IPS . For example , if i want to
>>>>> block/drop traffic to a site (facebook , youtube ,etc) i am able to do it
>>>>> with DAQ(NFQ) module.Now, is there any possibility to drop packets
>>>>> with pf_ring along with Snort IPS.
>>>>>
>>>>>
>>>>> lspci | grep Eth
>>>>>
>>>>> 01:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit
>>>>> Ethernet Controller (rev 06)
>>>>> 01:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit
>>>>> Ethernet Controller (rev 06)
>>>>> 02:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit
>>>>> Ethernet Controller (rev 06)
>>>>> 02:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit
>>>>> Ethernet Controller (rev 06)
>>>>> 04:00.0 Ethernet controller: Qualcomm Atheros Killer E2200 Gigabit
>>>>> Ethernet Controller (rev 13) ( I am not using this last Ethernet
>>>>> Controller)
>>>>>
>>>>> On Wed, Sep 23, 2015 at 1:33 PM, Alfredo Cardigliano <
>>>>> [email protected]> wrote:
>>>>>
>>>>>>
>>>>>> On 23 Sep 2015, at 06:54, Evani Sitaram <[email protected]> wrote:
>>>>>>
>>>>>> Hi,
>>>>>> i am Evani Ram,i am working for my final year project and i am
>>>>>> new to pf_ring and snort , i have a couple of queries regarding pf_ring.
>>>>>>
>>>>>> 1) Firstly, is it possible to drop packets using pf_ring ? if yes,
>>>>>> how to configure pf_ring in order to drop packets. (alert is working in
>>>>>> pf_ring)
>>>>>>
>>>>>> i am using this command to drop the packets but its only capture the
>>>>>> packets and logging. i am using pf_ring aware driver.
>>>>>>
>>>>>> Command :
>>>>>> * /snort/bin/snort -Q -c /snort/etc/snort.conf -d
>>>>>> --treat-drop-as-alert --daq pfring --daq-dir /pfring/lib/daq -l /logs -i
>>>>>> eth0:eth1 &*
>>>>>>
>>>>>>
>>>>>> Do you mean you want to use it inline dropping packets? You just need
>>>>>> to run snort in IPS mode using our DAQ module, please take a look at the
>>>>>> README
>>>>>>
>>>>>> 2) Secondly, what is the hardware architecture supported for using
>>>>>> pf_ring and can you suggest minimum required configuration for dropping
>>>>>> packets.
>>>>>>
>>>>>>
>>>>>> With standard drivers you can use any NIC, almost all Intel NICs are
>>>>>> also supported in Zero-Copy mode for line-rate.
>>>>>>
>>>>>> ( i am using using *Intel PRO /1000 PT DUAL PORT* NiC card for
>>>>>> traffic flow)
>>>>>>
>>>>>>
>>>>>> Can I see "lspci | grep Eth"?
>>>>>>
>>>>>> Regards
>>>>>> Alfredo
>>>>>>
>>>>>>
>>>>>> Thanks And Regards,
>>>>>> Evani Ram.
>>>>>> _______________________________________________
>>>>>> Ntop-misc mailing list
>>>>>> [email protected]
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop-misc mailing list
>>>>>> [email protected]
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ntop-misc mailing list
>>>>> [email protected]
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ntop-misc mailing list
>>>>> [email protected]
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>>
>>>>
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> [email protected]
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Ntop-misc mailing list
>>>> [email protected]
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
>>>>
>>>
>>>
>>
>
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
