-
Notifications
You must be signed in to change notification settings - Fork 0
Snort DAQ Modules: Data Acquisition, Traffic Inspection, and Configuration Guide
DAQ Modules in Snort:
- Definition: DAQ (Data Acquisition) modules handle the capture and processing of network traffic in Snort, interfacing between Snort and the network.
Reading Traffic
Snort is designed to inspect network traffic in various ways:
- Reading from a packet capture file: Analyzes pre-captured network data.
- Running passively on a network interface: Sniffs and analyzes live traffic without interfering.
- Testing inline injection capabilities: Actively manages and blocks traffic inline.
To leverage these capabilities, Snort must be provided with traffic to inspect.
Specifying LibDAQ Directory
-
LibDAQ Overview:
- LibDAQ (Data Acquisition Library) is an abstraction layer that enables communication between Snort and network data sources.
- It supports various DAQ modules, such as the
pcap
module, which uses thelibpcap
library to capture network traffic.
-
Setting the LibDAQ Directory:
-
If both Snort 2 and Snort 3 are installed, each has its own LibDAQ version.
-
Users must explicitly set the
--daq-dir
option when using Snort 3 to point to the appropriate directory. -
Example:
$ snort --daq-dir /usr/local/lib/daq_s3/lib/daq
-
To list available DAQ modules, use:
$ snort --daq-list
-
Reading Packet Captures
-
Single pcap File:
-
To analyze a single pcap file, use the
-r
option:$ snort -r get.pcap
-
Snort prints basic information about the pcap file, such as the number of packets and detected protocols.
-
-
Directory of pcaps:
-
To analyze multiple pcap files in a directory, use the
--pcap-dir
option:$ snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap'
-
Running Snort on Network Interfaces
-
Listening on Active Interfaces:
-
Snort can capture live traffic on network interfaces using the
-i
option:$ snort -i eth0
-
Modes of Operation
-
Passive Mode:
- Snort observes and detects traffic but does not block it.
- Default mode when using options like
-r
(read from pcap) or-i
(listen on interface).
-
Inline Mode:
- Snort can actively block traffic based on defined rules.
- Activated with the
-Q
flag if the DAQ supports inline mode.
afpacket DAQ Module
-
Inline Mode Support:
- The
afpacket
module allows Snort to access packets received on Linux network devices. - Supports both passive and inline modes.
- The
-
Using afpacket in Inline Mode:
-
Specify a pair of network interfaces with the
-i
option, separated by a colon:$ snort -Q --daq afpacket -i "eth0:eth1"
-
-
Snort Traffic Inspection:
-
Reading from pcap:
snort -r get.pcap
-
Listening on interface:
snort -i eth0
-
Reading from pcap directory:
snort --pcap-dir /path/to/dir --pcap-filter '*.pcap'
-
Reading from pcap:
-
LibDAQ Configuration:
- Set directory:
snort --daq-dir /usr/local/lib/daq_s3/lib/daq
- List modules:
snort --daq-list
- Set directory:
-
Modes of Operation:
-
Passive Mode: Default with
-r
or-i
-
Inline Mode:
-Q
flag, e.g.,snort -Q --daq afpacket -i "eth0:eth1"
-
Passive Mode: Default with