Hi Evani “Pkts Drop” are packet lost on the capture side due to weak processing power, thus the fact it is 0 is good. You should look at “Verdicts:”, the “Block” item. Those are packets discarded because they are bad packets.
Alfredo > On 28 Sep 2015, at 09:24, Evani Sitaram <[email protected]> wrote: > > Hello Alfredo, > As per your suggestion, i have executed command of snort with > daq-pfring , i'm getting the following results but the packets are not being > dropped (Pkts Drop: 0). > > Command : > snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf -i > ethX:ethY -e -Q > > Snort Realtime Performance > -------------------------- > Pkts Recv: 18707 > Pkts Drop: 0 > % Dropped: 0.000% > Block Verdict: 1409 > Injected: 0 > Pkts Filtered TCP: 0 > Pkts Filtered UDP: 0 > > > my snort rule is : > > drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook > is Blocked" ; sid : 200001 ; rev : 1;react:block;). > > I am attaching screen shot of the log data.kindly review it. Any help you > can provide will be extremely appreciated. > > Action Stats : > Alerts : 22( 0.047%) > Logged : 22( 0.047%) > Passed : 22( 0.047%) > > Limits : > Match : 0 > Queue : 0 > Log : 4 > Event : 0 > Alert : 0 > > Verdicts : > Allow : 36191 (76.891%) > Block : 4534 (9.633%) > Replace : 0 > Whitelist: 599(1.273%) > Blackllist: 5744(12.204%) > Thanks, > Evani Ram > > On Mon, Sep 28, 2015 at 12:42 PM, Evani Sitaram <[email protected] > <mailto:[email protected]>> wrote: > Hello Alfredo, > As per your suggestion, i have executed command of snort with > daq-pfring , i'm getting the following results but the packets are not being > dropped (Pkts Drop: 0). > > Command : > snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf -i > ethX:ethY -e -Q > > Snort Realtime Performance > -------------------------- > Pkts Recv: 18707 > Pkts Drop: 0 > % Dropped: 0.000% > Block Verdict: 1409 > Injected: 0 > Pkts Filtered TCP: 0 > Pkts Filtered UDP: 0 > > > my snort rule is : > > drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook > is Blocked" ; sid : 200001 ; rev : 1;react:block;). > > I am attaching screen shot of the log data.kindly review it. Any help you > can provide will be extremely appreciated. > > > Thanks, > Evani Ram > > On Mon, Sep 28, 2015 at 12:36 PM, Evani Sitaram <[email protected] > <mailto:[email protected]>> wrote: > Hello Alfredo, > As per your suggestion, i have executed command of snort with > daq-pfring , i'm getting the following results but the packets are not being > dropped (Pkts Drop: 0). > > Command : > snort --daq-dir=/usr/local/lib/daq --daq pfring -c /etc/snort.conf -i > ethX:ethY -e -Q > > Snort Realtime Performance > -------------------------- > Pkts Recv: 18707 > Pkts Drop: 0 > % Dropped: 0.000% > Block Verdict: 1409 > Injected: 0 > Pkts Filtered TCP: 0 > Pkts Filtered UDP: 0 > > > my snort rule is : > > drop tcp any any -> any any ( content : "facebook" ; msg : "Facebook > is Blocked" ; sid : 200001 ; rev : 1;react:block;). > > I am attaching screen shot of the log data.kindly review it. Any help you > can provide will be extremely appreciated. > > > Thanks, > Evani Ram > > On Thu, Sep 24, 2015 at 9:52 AM, Evani Sitaram <[email protected] > <mailto:[email protected]>> wrote: > Hello Alfredo, > > Currently what I doing is I am running snort to verify the packets and if > any packets match my snort rules then I am are using pfring to drop the > packets(move them to a folder, this is what I mean by fails to drop) so that > i can perform some analysis on these packets. However currently I am able > to do so with DAQ but not with PFRING. Is this currently possible with > PFRING? Can you please provide me with some insight in this matter as we > would like to use this product to finish configuring my system. Any help you > can provide will be extremely appreciated. > > Thanks > Evani > > On Wed, Sep 23, 2015 at 5:53 PM, Alfredo Cardigliano <[email protected] > <mailto:[email protected]>> wrote: > Evani > if you run snort in ips mode (for instance I usually use --daq pfring > --daq-mode inline -i ethX:ethY), the pfring-daq > will not forward packets when snort returns a negative verdict, I do not know > what you mean with “fails to drop”. > > Alfredo > >> On 23 Sep 2015, at 14:12, Evani Sitaram <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Alfredo, >> Sorry for the trouble ,As per your suggestion i tired to configure >> daq_pfring (daq_pfring.so and daq_pfring.la <http://daq_pfring.la/>) and >> snort IPS mode i was only able to capture packets but snort fails to drop >> the packets inline. >> >> Command for running Snort in IPS mode (daq_pfring) : >> >> snort --daq-dir=/usr/local/lib/daq --daq pfring -i ethX:ethY -e -Q >> >> Thanks And Regards, >> Evani Ram >> >> >> >> >> On Wed, Sep 23, 2015 at 3:39 PM, Alfredo Cardigliano <[email protected] >> <mailto:[email protected]>> wrote: >> Hi Evani >> as I said just use our daq in ips mode. >> >> Alfredo >> >>> On 23 Sep 2015, at 12:01, Evani Sitaram <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hello Alfredo, >>> Thank you for the timely reply, I am able to drop the packets using DAQ >>> module (NFQ) with Snort IPS . For example , if i want to block/drop traffic >>> to a site (facebook , youtube ,etc) i am able to do it with DAQ(NFQ) >>> module.Now, is there any possibility to drop packets with pf_ring along >>> with Snort IPS. >>> >>> >>> lspci | grep Eth >>> >>> 01:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >>> Controller (rev 06) >>> 01:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >>> Controller (rev 06) >>> 02:00.0 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >>> Controller (rev 06) >>> 02:00.1 Ethernet controller: Intel Corporation 82571EB Gigabit Ethernet >>> Controller (rev 06) >>> 04:00.0 Ethernet controller: Qualcomm Atheros Killer E2200 Gigabit Ethernet >>> Controller (rev 13) ( I am not using this last Ethernet Controller) >>> >>> On Wed, Sep 23, 2015 at 1:33 PM, Alfredo Cardigliano <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>>> On 23 Sep 2015, at 06:54, Evani Sitaram <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hi, >>>> i am Evani Ram,i am working for my final year project and i am new to >>>> pf_ring and snort , i have a couple of queries regarding pf_ring. >>>> >>>> 1) Firstly, is it possible to drop packets using pf_ring ? if yes, how to >>>> configure pf_ring in order to drop packets. (alert is working in pf_ring) >>>> >>>> i am using this command to drop the packets but its only capture the >>>> packets and logging. i am using pf_ring aware driver. >>>> >>>> Command : >>>> /snort/bin/snort -Q -c /snort/etc/snort.conf -d --treat-drop-as-alert >>>> --daq pfring --daq-dir /pfring/lib/daq -l /logs -i eth0:eth1 & >>> >>> Do you mean you want to use it inline dropping packets? You just need to >>> run snort in IPS mode using our DAQ module, please take a look at the README >>> >>>> 2) Secondly, what is the hardware architecture supported for using pf_ring >>>> and can you suggest minimum required configuration for dropping packets. >>> >>> With standard drivers you can use any NIC, almost all Intel NICs are also >>> supported in Zero-Copy mode for line-rate. >>> >>>> ( i am using using Intel PRO /1000 PT DUAL PORT NiC card for traffic flow) >>> >>> Can I see "lspci | grep Eth"? >>> >>> Regards >>> Alfredo >>> >>>> >>>> Thanks And Regards, >>>> Evani Ram. >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] <mailto:[email protected]> >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] <mailto:[email protected]> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] <mailto:[email protected]> >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] <mailto:[email protected]> >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> > > _______________________________________________ > Ntop-misc mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> > > > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
