NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> current

Re: [Snort-users] Snort 2.9.1.2 exits on file upload

From: Sudarshan Raghavan (sudarshan.t.raghavangmail.com)
Date: Thu Feb 02 2012 - 11:13:04 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I made the change to snort.c and it seems to be working ok.

Index: snort.c
===================================================================
--- snort.c (revision 148039)
+++ snort.c (working copy)
-2820,7 +2820,8
             if ( !ScReadMode() || !PQ_Next() )
             {
                 /* If not read-mode or no next pcap, we're done */
- break;
+ //break;
+ continue;
             }
         }
         /* Check for any pending signals when no packets are read*/

Is this likely to affect nfq? I also checked the 2.9.2 source tree and
I don't PacketLoop continuing if DAQ_Acquire fails with an error. I
assume it must have been fixed in a different way.

Regards,
Sudarshan

On Thu, Feb 2, 2012 at 10:08 PM, Sudarshan Raghavan
<sudarshan.t.raghavangmail.com> wrote:
> Hi Russ,
>
> My answers are inline. Thanks for the help.
>
> Regards,
> Sudarshan
>
> On Thu, Feb 2, 2012 at 9:00 PM, Russ Combs <rcombssourcefire.com> wrote:
>>
>>
>> On Thu, Feb 2, 2012 at 9:09 AM, Sudarshan Raghavan
>> <sudarshan.t.raghavangmail.com> wrote:
>>>
>>> I can see in the 2.8.5 sources that ipq_read error does not result in
>>> snort exiting. It calls ipq_perror and continues to read. Is this an
>>> ok behaviour to go back to. It is not ideal but having snort die is
>>> not the best solution either. Can I get rid of the break in
>>> PacketLoop?
>>
>>
>> What version of the DAQ tarball and IPQ DAQ (./snort --daq-list) are you
>> using? That should have been fixed a while back.
>
> I am using ipq and nfq
> Available DAQ modules:
> nfq(v6): live inline multi
> ipq(v5): live inline multi
>
>>
>> Assuming you have the latest, if you are only running IPQ updating snort.c
>> is an option. If you might run other DAQs, including pcap, suggest making
>> the change in the IPQ DAQ module itself (daq_ipq.c).
>
> I am not using pcap. I am using snort 2.9.1.2. Can I copy snort.c from
> 2.9.2 sources? Unfortunately I cannot move to 2.9.2 at this point in
> time.
>
>>
>> Also, it would be helpful if you could send the specific error so that can
>> be ignored.
>
> The error that I am seeing is ""Can't acquire (-1) - ipq_daq_acquire:
> ipq_read=-1 error Failed to receive netlink message". On another
> system that has more memory and a higher rmem and wmem, the same test
> works just fine. I am not sure if these two config settings make any
> difference.
>
>
>>
>>>
>>> On Thu, Feb 2, 2012 at 7:18 PM, Sudarshan Raghavan
>>> <sudarshan.t.raghavangmail.com> wrote:
>>> > Do I have to increase some buffer size? Can the -1 error from ipq_read
>>> > be ignored? I am seeing this error every time I try to upload a 60MB
>>> > file over HTTP.
>>> >
>>> > Regards,
>>> > Sudarshan
>>> >
>>> > On Thu, Feb 2, 2012 at 7:05 PM, Sudarshan Raghavan
>>> > <sudarshan.t.raghavangmail.com> wrote:
>>> >> Snort Version: 2.9.1.2 IPv6 GRE
>>> >> libpcap: 0.8.3
>>> >> pcre: 7.0 18-Dec-2006
>>> >> zlib: 1.2.3
>>> >> Linux Kernel: 2.6.37.3 (32 bit)
>>> >>
>>> >> We are snort exit when trying a http file upload with this error
>>> >> "Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to
>>> >> receive netlink message". Has anyone seen this error message before?
>>> >>
>>> >> Regards,
>>> >> Sudarshan
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Keep Your Developer Skills Current with LearnDevNow!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> http://p.sf.net/sfu/learndevnow-d2d
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-userslists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
>>> news!
>>
>>

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]