I´am trying to get snort to work with the PF_RING in inline mode.
So I do
modprobe pf_ring enable_tx_capture=0 transparent_mode=1 min_num_slots=16384
snort -c /etc/snort/snort.conf -y -i rt1:rt3 --daq-dir /usr/local/lib/daq --daq
pfring --daq-var clusterid=10,11 --daq-mode inline -Q
And everything seems to start fine.
pfring DAQ configured to inline.
rt1 <-> rt3
Acquiring network traffic from "rt1:rt3".
Reload thread starting...
Reload thread started, thread 0x7f8a2bd7b700 (2348)
I´ve then made a ICMP drop rule to test the IPS filtering.
I see the rule hitting
11/08/13-10:44:23.168517 [Drop] [**] [1:10000001:12] ICMP test [**] [Priority:
0] {ICMP} 94.231.111.148 -> 94.231.111.149
But ICMP the icmp packet is not getting filtered.
If I do
cat /proc/net/pf_ring/2965-rt1.53
Bound Device(s) : rt1
Active : 1
Breed : Non-DNA
Sampling Rate : 1
Capture Direction : RX only
Socket Mode : RX+TX
Appl. Name : snort-cluster-10-socket-0
IP Defragment : No
BPF Filtering : Disabled
# Sw Filt. Rules : 1
# Hw Filt. Rules : 0
Poll Pkt Watermark : 128
Num Poll Calls : 151
Channel Id Mask : 0xFFFFFFFF
Cluster Id : 10
Slot Version : 15 [5.6.1]
Min Num Slots : 4872
Bucket Len : 1514
Slot Len : 1720 [bucket+header]
Tot Memory : 8388608
Tot Packets : 44
Tot Pkt Lost : 0
Tot Insert : 44
Tot Read : 44
Insert Offset : 14888
Remove Offset : 14888
TX: Send Ok : 41
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
Num Free Slots : 4872
I can now see a sw filter
Sw Filt. Rules : 1
Why I traffic not getting blocked?
Med venlig hilsen | Best regards
Thomas Raabo
Netværksansvarlig CCIE #33466
Zitcom A/S
Telefon: 70 40 00 00 E-mail: [email protected]<mailto:[email protected]>
Direkte: 69 10 60 18 Direkte: [email protected]<mailto:[email protected]>
[cid:[email protected]]<http://www.zitcom.dk/>
<<inline: image001.jpg>>
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
