Skip to content

Snort DAQ Modules: Data Acquisition, Traffic Inspection, and Configuration Guide

Jump to bottom
Mahesh Shukla - Aka JailBreaker edited this page Jun 13, 2024 · 1 revision

DAQ Modules in Snort:

  1. Definition: DAQ (Data Acquisition) modules handle the capture and processing of network traffic in Snort, interfacing between Snort and the network.

Snort Traffic Inspection and Configuration

Reading Traffic

Snort is designed to inspect network traffic in various ways:

  • Reading from a packet capture file: Analyzes pre-captured network data.
  • Running passively on a network interface: Sniffs and analyzes live traffic without interfering.
  • Testing inline injection capabilities: Actively manages and blocks traffic inline.

To leverage these capabilities, Snort must be provided with traffic to inspect.

Specifying LibDAQ Directory

  1. LibDAQ Overview:

    • LibDAQ (Data Acquisition Library) is an abstraction layer that enables communication between Snort and network data sources.
    • It supports various DAQ modules, such as the pcap module, which uses the libpcap library to capture network traffic.

  2. Setting the LibDAQ Directory:

    • If both Snort 2 and Snort 3 are installed, each has its own LibDAQ version.

    • Users must explicitly set the --daq-dir option when using Snort 3 to point to the appropriate directory.

    • Example:

      $ snort --daq-dir /usr/local/lib/daq_s3/lib/daq

    • To list available DAQ modules, use:

      $ snort --daq-list

Reading Packet Captures

  1. Single pcap File:

    • To analyze a single pcap file, use the -r option:

      $ snort -r get.pcap

    • Snort prints basic information about the pcap file, such as the number of packets and detected protocols.

  2. Directory of pcaps:

    • To analyze multiple pcap files in a directory, use the --pcap-dir option:

      $ snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap'

Running Snort on Network Interfaces

  1. Listening on Active Interfaces:

    • Snort can capture live traffic on network interfaces using the -i option:

      $ snort -i eth0

Modes of Operation

  1. Passive Mode:

    • Snort observes and detects traffic but does not block it.
    • Default mode when using options like -r (read from pcap) or -i (listen on interface).

  2. Inline Mode:

    • Snort can actively block traffic based on defined rules.
    • Activated with the -Q flag if the DAQ supports inline mode.

afpacket DAQ Module

  1. Inline Mode Support:

    • The afpacket module allows Snort to access packets received on Linux network devices.
    • Supports both passive and inline modes.

  2. Using afpacket in Inline Mode:

    • Specify a pair of network interfaces with the -i option, separated by a colon:

      $ snort -Q --daq afpacket -i "eth0:eth1"

Summary Notes

  • Snort Traffic Inspection:

    • Reading from pcap: snort -r get.pcap
    • Listening on interface: snort -i eth0
    • Reading from pcap directory: snort --pcap-dir /path/to/dir --pcap-filter '*.pcap'

  • LibDAQ Configuration:

    • Set directory: snort --daq-dir /usr/local/lib/daq_s3/lib/daq
    • List modules: snort --daq-list

  • Modes of Operation:

    • Passive Mode: Default with -r or -i
    • Inline Mode: -Q flag, e.g., snort -Q --daq afpacket -i "eth0:eth1"
Clone this wiki locally