Snort mailing list archives
Re: Pfring crashes the kernel with white lists.
From: Peter Bates <peter.bates () ucl ac uk>
Date: Fri, 22 Jun 2012 13:41:08 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 21/06/2012 00:58, livio Ricciulli wrote:
If you use --daq pfring with snort 2.9.2.x, it will cause pfring to add a monotonically increasing number of WHITE_LIST pfring filters in kernel memory causing memory exhaustion and eventually a crash after a few hours/days/months depending on your traffic rate. We have a pfring distribution that fixes this and other problems (like supporting bpf filtering) at http://www.metaflows.com/pfring/PF_RING.tgz
I'm running this combination and am keen to avoid this bug so will take a look. Can you explain 'supporting bpf filtering' a bit more? I have config bpf_file: /etc/snort/bpf (equivalent to -F) and according to PF_RING the BPF is being applied: BPF Filtering : Enabled Or is the difference in Snort applying the BPF filter after PF_RING and not before? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP5GfkAAoJELhVoVpEMS6RJpkIAI+sV9h/iLwehWfTve5tpbbF 8LibR+YRcc8rAO+ic2ul9t560YgyfALgl/czjQXrkXdzhsL/f5S6RSvtoCxK5vH+ DLw2SZRPcaJ4GRfgE/AFTQIEUkM+cDYWTmHzkpGWokzlpOPFeDeNwzFopUxc+16o FOkx4N88MRzI+8NNYeby9ev35E9GwpskY8bzKzdGNPOB4+5zX1uCW15IJguMWpho s6fP6HbFnGhNgJN4buzxzn0vT776Uf+RglzatBTLhdf8rBCz5i96Ne1wsj6WfpoD dA7XHs4hOwZa+7hA85ODfyz3/oelPLxp5ezDe3jWcRH/Q9VeFVYZttALHYtCwjQ= =4pYV -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort rule for TCP Portscan and PortSweep Tran M. Thang (Jun 20)
- Pfring crashes the kernel with white lists. livio Ricciulli (Jun 20)
- Re: Pfring crashes the kernel with white lists. Peter Bates (Jun 22)
- Re: Pfring crashes the kernel with white lists. Livio Ricciulli (Jun 22)
- Re: Pfring crashes the kernel with white lists. Peter Bates (Jun 22)
- Pfring crashes the kernel with white lists. livio Ricciulli (Jun 20)