-
Notifications
You must be signed in to change notification settings - Fork 43
/
README.daq
99 lines (71 loc) · 3.71 KB
/
README.daq
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The
DAQ replaces direct calls to libpcap functions with an abstraction layer that
facilitates operation on a variety of hardware and software interfaces without
requiring changes to Snort. It is possible to select the DAQ type and mode
when invoking Snort to perform pcap readback or inline operation, etc.
This README summarizes the important things you need to know to use the DAQ.
See the README in the DAQ tarball for information on building and installing
the DAQ and for information specific to DAQ modules.
See README.active and README.normalize for more information on the other packet
handling changes in 2.9.
Building Snort
==============
If you install the DAQ libraries in a non-standard place, you can configure
Snort accordingly with:
./configure --with-daq-includes=<inc dir>
--with-daq-libraries=<lib dir>
By default, snort will be built with a few static DAQ modules including pcap,
afpacket, and dump. If you don't want any static DAQ modules built into Snort,
you can use this configure option:
./configure --disable-static-daq
pcap is the default DAQ, but you can change that like this:
./configure "CPPFLAGS=-DDEFAULT_DAQ=<type>"
You can also do this:
make "DEFAULT_DAQ=<type>"
If you used --with-libpcap-includes or --with-libpcap-libraries when building
the DAQ, you will also need --with-libpcap-includes and
--with-libpcap-libraries when building Snort.
Note that configure runs daq-modules-config which must be in your PATH. If you
configured the DAQ with a non-standard prefix then you may need to put that in
your path like this before running configure:
PATH=/daq/install/prefix:$PATH
Configuring Snort
=================
Assuming that you did not disable static modules or change the default DAQ
type, you can run Snort just as you always did for file readback or sniffing an
interface. However, you can select and configure the DAQ when Snort is invoked
as follows:
./snort \
[--daq <type>] \
[--daq-mode <mode>] \
[--daq-dir <dir>] \
[--daq-var <var>]
config daq: <type>
config daq_dir: <dir>
config daq_var: <var>
config daq_mode: <mode>
<type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
<mode> ::= read-file | passive | inline
<var> ::= arbitrary <name>=<value> passed to DAQ
<dir> ::= path where to look for DAQ module so's
The DAQ type, mode, variable, and directory may be specified either via the
command line or in the conf file. You may include as many variables and
directories as needed by repeating the arg / config. DAQ type may be specified
at most once in the conf and once on the command line; if configured in both
places, the command line overrides the conf.
If the mode is not set explicitly, -Q will force it to inline, and if that
hasn't been set, -r will force it to read-file, and if that hasn't been set,
the mode defaults to passive. Also, -Q and --daq-mode inline are allowed,
since there is no conflict, but -Q and any other DAQ mode will cause a fatal
error at start-up.
Note that if Snort finds multiple versions of a given library, the most recent
version is selected. This applies to static and dynamic versions of the same
library.
./snort --daq-list[=<dir>]
./snort --daq-dir=<dir> --daq-list
The above commands search the specified directories for DAQ modules and print
type, version, and attributes of each. This feature is not available in the
conf. Snort stops processing after parsing --daq-list so if you want to add
one or more directories add --daq-dir options before --daq-list on the command
line. (Since the directory is optional to --daq-list, you must use an =
without spaces for this option.)