Hi All:
Currently, I have ported snort-3.1.77.0 to OpenWRT and also ported DAQ to support NFQ. The current issue is: I have set up two queues using the iptables command: iptables -I FORWARD -j NFQUEUE --queue-balance 1:2 --queue-bypass
. Snort is configured in IPS mode as shown below:
ips =
{
mode = inline,
include = "/etc/snort/rules/icmp_drop.rule",
action_override = 'block',
variables = default_variables
}
daq =
{
snaplen = 65531,
module_dirs = {'/usr/lib/daq'},
inputs = { '1','2'}, -- queue number
modules =
{
{
name = 'nfq',
mode = 'inline',
variables =
{
'device=eth1',-- eth1 is wan interface
'queue_maxlen=8192',
'fail_open', -- Don't drop packets on failure.
}
}
}
}
I am running snort-3.1.77.0 by default with 2 threads. I hope that with the iptables settings,the traffic can be load balanced, for example, queue 1 is processed by the first thread, and queue 2 is processed by the second thread.How can I confirm that queue 1 and queue 2 are respectively corresponding to the 2 threads of snort3?
After completing the configuration of snort.lua, run the snort command as follows:
snort --daq-dir /usr/lib/daq/ -c /etc/snort/snort.lua --daq-dir /usr/lib/daq --daq nfq -Q -z 2 -s 65531 --daq-var queue_maxlen=8192 --daq-var device=eth1 -A alert_full
Thank you in advance, everyone.