Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flexresp problem

From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 21 Apr 2002 12:00:47 -0700 (PDT)
On Sun, 21 Apr 2002, Tudor Panaitescu wrote:




libnet-1.0.2a-1snort is actually the rpm package for libnet. It is configured
with --with-pf_packet=yes, nothing different from the normal compile. I also
tried to recompile snort with libpcap-0.7.1 - the same behavior.

The latest: recompiled from scratch and installed in this order:
libpcap-0.7.1, libnet-1.0.2a, snort-1.8.6, snort-plain+flexresp-1.8.6. The
same behavior.


Ok, remove the snort-plain+flexresp thing.  Just use 1.8.6 and compile with
--enable-flexresp.  See if that makes a difference.

*shudders*  God I _HATE_ rpms, they make it so hard to troubleshoot things...
And _NO_, I'm not trying to start a war.  It's too early to have any drinks.
:)


I tried also to enable debugging but it generates about 2 GB snort.debug
file only when snort starts - filled up my /tmp fs - is it any way of
configuring debug to dump only alert related messages ?


Yep.  You can set the debug ENV variable and snort will log at different
levels of debugging.  I don't have all my notes on that right now, or I'd be
more specific.  Have a look in the source, IIRC it's documented fairly well
there.


Conclusion: snort-1.8.6 resets connections if a rule is matched even if the
rule doesn't say anything about any resp.


I'm sorry--I can't go with this.

I'm using the same setup, except on Solaris 2.7 and I don't have any problems.
We've got ~3.5k list members and only two people are having this issue, both
with sparc debian.  Law of averages points to something specific about ya'lls
configs--machines, rpms, .conf, something....   Of course I could be as wrong
as wrong can be.  :)


The Nets are configured like this: var HOME_NET [a.b.c.d/e,f.g.h.i/j ...], var
EXTERNAL_NET !$HOME_NET, var HTTP_SERVERS $HOME_NET etc.

Any other thoughts folks ?


If you're watching a lot of traffic, run multi instances with single homenets.
The current code runs a _lot_ faster watching a single net that multi ones.  A
lot less CPU cycles!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: