Snort mailing list archives
Re: [PATCHES] Fixes for daq_nfq
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 22 Mar 2011 20:47:05 -0400
OK - what version of pcap are you using? On Tue, Mar 22, 2011 at 8:42 PM, Kelvie Wong <kwong () wurldtech com> wrote:
Hey Russ, On March 22, 2011 04:51:49 PM Russ Combs wrote:Are you using the latest Snort? The NFQ DAQ was recently changed toreturnthe IP4 or IP6 flavor instead of RAW because Snort determines the layer 3 protocol from the layer 2 header, and in this case there is no layer 2 header. Returning IP4 or IP6 allows Snort to work with either.Yeah, I'm using Snort 2.9.0.4; I think the main problem is that this value is being handed over to libpcap, in the pcap_open_dead line. If you feed it DLT_IPV4, it will set its link layer type to -1, as it does not recognize it.if (!ScTestMode()) { pcap_t* pcap = pcap_open_dead(DAQ_GetBaseProtocol(), DAQ_GetSnapLen()); data->dumpd = pcap ? pcap_dump_open(pcap,data->logdir): NULL; if(data->dumpd == NULL) { FatalError("log_tcpdump: Failed to open log file \"%s\":%s\n",data->logdir, pcap_geterr(pcap)); } pcap_close(pcap); } pcap_open_dead is being called with DAQ_GetBaseProtocol, which takes the value from nfq_daq_get_datalink_type. The problem is that nfq_daq_get_datalink_type now returns DLT_IPV4 or DLT_IPV6 instead of DLT_RAW (as it did in 0.2). According to the pcap manpage (http://www.tcpdump.org/pcap3_man.html) it supports neither of those values.This causes the error when pcap_dump_open is called, as this error message shows (it's a pcap error message).ERROR: log_tcpdump: Failed to open log file "/var/log/snort/snort.log.1300810527": /var/log/snort/snort.log.1300810527: link-layer type -1 isn't supportedinsavefiles-- Kelvie Wong Software Developer Wurldtech Security Technologies Inc. Suite 1680 - 401 West Georgia St. Vancouver, B.C. V6B 5A1 Canada Phone: + 1.604.669.6674 Toll Free: + 1.877.369.6674 Fax: + 1.604.669.2902 Website: http://www.wurldtech.com/ "ARE YOU ACHILLES CERTIFIED?" This message is intended only for the named recipients. This message may contain information that is privileged, confidential or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately by telephone at 604-669-6674, and permanently destroy this message and any copies you may have. Email may not be secure unless properly encrypted.
------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: [PATCHES] Fixes for daq_nfq Kelvie Wong (Mar 22)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Mar 22)
- Re: [PATCHES] Fixes for daq_nfq Kelvie Wong (Mar 22)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Mar 22)
- Re: [PATCHES] Fixes for daq_nfq Kelvie Wong (Mar 23)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Mar 23)
- Re: [PATCHES] Fixes for daq_nfq Kelvie Wong (Mar 23)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Mar 29)
- Re: [PATCHES] Fixes for daq_nfq Kelvie Wong (Mar 29)
- Re: [PATCHES] Fixes for daq_nfq Kelvie Wong (Mar 22)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Mar 22)