Snort mailing list archives
not yet:: Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram?
From: Michael Scheidell <michael.scheidell () secnap com>
Date: Sun, 30 Jan 2011 17:28:15 -0500
On 1/30/11 3:49 PM, Michael Altizer wrote:
You will have to change the default net.bpf.maxbufsize like Frank said to be at least as large as what you entered or it will fall back on the maximum allowed (my FreeBSD install defaulted to 512k).
patch applied, daq 0.5_1:still not convinced: but onto seeing what happens with -daq ipfw now.. just because I am a sick individual and crave self abuse.
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMANDsnort 1878 93.8 3.2 187332 134444 ?? Ss 5:22PM 0:00.01 /usr/local/bin/snort -c /etc/snort/snort_wan.conf -i untrust0 -l /var/log/snort_wan -F /etc/snort/snort_wan.bpf -dDqI -m 022 -k none --nolock-pidfile --daq pcap --daq-var buffer_size=131072
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMANDroot 1876 33.6 3.1 181188 128700 ?? Ss 5:22PM 0:00.02 /usr/local/bin/snort -c /etc/snort/snort_lan.conf -i trust1 -l /var/log/snort_lan -F /etc/snort/snort_lan.bpf -dDqI -m 022 -k none --nolock-pidfile --daq pcap --daq-var buffer_size=131072
scanner2.secnap.com# sysctl net.bpf net.bpf.maxinsns: 512 net.bpf.maxbufsize: 524288 net.bpf.bufsize: 4096 verified patch: diff -bBru daq_pcap.c.orig daq_pcap.c --- daq_pcap.c.orig 2010-10-01 17:58:15.000000000 -0400 +++ daq_pcap.c 2011-01-30 17:24:20.000000000 -0500 @@ -216,7 +216,7 @@ for (entry = config->values; entry; entry = entry->next) { if (!strcmp(entry->key, "buffer_size")) - context->buffer_size = strtol(entry->key, NULL, 10); + context->buffer_size = strtol(entry->value, NULL, 10); }/* Try to account for legacy PCAP_FRAMES environment variable if we weren't passed a buffer size. */
if (context->buffer_size == 0) -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram?, (continued)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Russ Combs (Jan 31)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 31)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Russ Combs (Jan 31)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Feb 01)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Feb 01)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? List Subscriptions (Jan 30)
- not yet:: Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)
- Re: not yet:: Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Altizer (Jan 30)
- Re: not yet:: Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram? Michael Scheidell (Jan 30)