Snort mailing list archives
Re: Linux & Pcap ... :-(
From: "Lawrence Reed" <Lawrence.Reed () noaa gov>
Date: Wed, 05 Feb 2003 13:38:21 +0000
Kevin,Compile snort with the libpcap from Phil Wood. This works for me and improves performance as well ( ring buffer support).
http://public.lanl.gov/cpw/ Kevin Peuhkurinen wrote:
So I'm trying to make up a script that will show my bosses the daily stats dump resulting from a SIGUSR1 to Snort. Unfortunately, it appears that when Snort calls libpcap to get the its stats, libpcap thereafter resets them to zero. So, the next time I do a SIGUSR1, the 'breakdown by protocol' shows > 100% because Snort keeps track of the individual protocol stats but gets the percentage based on the numbers provided by libpcap.While this is clearly not necessarily a Snort problem since it only seems that the Linux version of libpcap behaves this way, it is equally obvious that this will not endear my choice of IDS to my bosses who are mickle suspicious of any software that does arrive with a license that grants the manufacturer exclusive access to the user's first born offspring while costing many thousands of dollarsDoes anyone have an solution for this - preferably a means to modify libpcap's behaviour and have it not reset the stats? If not, I'll just mess around with the Snort source and probably just take out the percentage displays.Thanks, Kevin ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Larry Reed Lawrence.Reed () noaa gov NOAA IT Security Office PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linux & Pcap ... :-( Kevin Peuhkurinen (Feb 04)
- Re: Linux & Pcap ... :-( Paul B. Poh (Feb 05)
- Re: Linux & Pcap ... :-( Lawrence Reed (Feb 05)
- Re: Linux & Pcap ... :-( Paul B. Poh (Feb 05)
- Re: Linux & Pcap ... :-( Lawrence Reed (Feb 05)
- Re: Linux & Pcap ... :-( Paul B. Poh (Feb 05)