I did at runtime with switches:
snort -c /opt/snort-2.9.4.1/etc/snort.conf -D -y -i p1p1 --daq-dir
/usr/local/lib/daq --daq pfring --daq-var clusterid=10 --daq-mode passive
I was just about to post back, I unloaded all the kernel modules,
rebooted, recompiled and reloaded the modules and something is finally
working. Now I just have to work out how to cluster Snort on pfring
properly, but that is outside the scope of these threads.
Thanks for all the quick replies and help, if I figure out what did it I
will provide back the information, since I have to go through this setup
a few more times.
On 03/19/2013 02:12 PM, Justin Azoff wrote:
On Tue, Mar 19, 2013 at 01:44:31PM -0500, Ryan wrote:
The pf_ring daq is also using the libpcap out of the
PF_RING/userland/libpcap.
# ldd /usr/local/lib/daq/daq_pfring.so
linux-vdso.so.1 => (0x00007fff197bf000)
libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007fee9344e000)
libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fee931f8000)
libpfring.so => /usr/local/lib/libpfring.so (0x00007fee92fd3000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fee92db1000)
libc.so.6 => /lib64/libc.so.6 (0x00007fee92a1d000)
/lib64/ld-linux-x86-64.so.2 (0x00007fee93878000)
There was someone encountering similar issues to me in the list, see
this archive on Gossamer Threads:
http://www.gossamer-threads.com/lists/ntop/misc/29722?do=post_view_threaded
Unfortunately he never replied with is fix.
Everything has officially been recompiled and double checked on
using the right libpcap. I'm at a loss at this point.
Thanks for the help so far!
Did you reconfigure snort to use the pf_ring DAQ module?
config daq: pfring
config daq_var: clusterid=10
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
