Dear VPP community, I hope this message finds you well. I am currently working on a VPP-based traffic monitoring program and would like to ask for your advice regarding the integration of a custom node and the snort_plugin. What I want to achieve:
* My own custom program intercepts packets at the device-input feature arc. * At the same time, I need to duplicate the incoming packets (from dpdk-input) and send a copy to snort_plugin for intrusion detection, while my custom node still processes the original packets. * Therefore, I modified the snort_plugin node to attach to device-input instead of the default ip4-unicast. What I observed: * From show trace, packets do go through snort-enq. * show runtime also shows non-zero counters for both snort-enq and snort-deq. * However, Snort (the external process) does not generate any alert, even though the same Snort configuration works when snort_plugin is attached to ip4-unicast. My questions: * Is the above design (moving snort_plugin to device-input) considered reasonable? Could there be any missing prerequisites (e.g., L2 header not yet processed, or missing flow information) that prevent Snort from properly inspecting the packets? * If this design is not optimal, what alternative solutions would you recommend to achieve both (a) custom processing at an early stage and (b) sending a duplicate copy of the original packets to Snort? Any suggestions or pointers to relevant documentation/examples would be greatly appreciated. Thank you very much for your time and help.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#27053): https://lists.fd.io/g/vpp-dev/message/27053 Mute This Topic: https://lists.fd.io/mt/119717052/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/14379924/21656/631435203/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
