Snort mailing list archives
Re: [Ntop-misc] Pfring crashes the kernel with white lists.
From: Alfredo Cardigliano <cardigliano () ntop org>
Date: Thu, 19 Jul 2012 11:17:07 +0200
Hi Peter first of all let me clarify that it is not true that "it will cause pfring to add a monotonically increasing number of WHITE_LIST pfring filters". In fact by default kernel rules idle for more than 5 minutes (it is possible to tune this with --daq-var kernel-filters-idle-timeout=<seconds>) are automatically removed. Of course there can be an high number of rules if there is an high number of concurrent active flows. Anyway we changed this in current svn, so the problem in no longer present. Please update and let us know. Best Regards Alfredo On Jul 18, 2012, at 10:36 PM, Peter Bates wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all - and apologies for cross-posting. On 21/06/2012 00:58, livio Ricciulli wrote:It looks like the ssl dynamic processor of the latest snort distributions causes the DAQ verdict to be WHITE_LIST for certain ssl connections. This is perfectly ok if you are NOT using --daq pfring. If you use --daq pfring with snort 2.9.2.x, it will cause pfring to add a monotonically increasing number of WHITE_LIST pfring filters in kernel memory causing memory exhaustion and eventually a crash after a few hours/days/months depending on your traffic rate. We have a pfring distribution that fixes this and other problems (like supporting bpf filtering) at http://www.metaflows.com/pfring/PF_RING.tgz The WHITE_LIST fix is very simple; basically, if the verdict from the snort processing is WHITE_LIST, you set it to PASS instead in daq_pfring.c. We will send this fixes to the Ntop folks as well..This bug hit me today with PF_RING from svn and Snort 2.9.2.3 - - available RAM was exhausted over the course of a couple of hours and left me with a dead IDS (well, until I reboot it tomorrow). I'd appreciate if the Metaflows changes could make it into the current version of PF_RING and PF_RING DAQ - I presume there's no change in Snort 2.9.3 that will alter this behaviour. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQBx41AAoJELhVoVpEMS6R16wH/ic43tGW9TIQngMdLBxezlfL WIMhMPTrLI6CYzuacBdZ0VEHGppdyzNIg7tbubgbH2cHF6Ad69aZEKzE/g6pXLEh 4PFds/8oH7SwgWoglHcORm/xzU1PY0UKN+n80wQq9du8jtptPVCxTyg3ph0r4ZrE YCYShzYJHPY3nUkii+rNM9nrM/+MfDNaIASaJIqCbUuLU3sNcf7JjE0Tfrof/NLU +g5GaafaBHsKCWkcf+aivBLQ4MJt3gAJJdSseeQhYvdy8Sm6xMuuv4Rcw3yWwaPc HYvOWd4BndXP0Pje9USsNeZa2yiZtXjmpaItWHKI/rQ4+gQF21rznJ4yp5ygbV0= =ZIBf -----END PGP SIGNATURE----- _______________________________________________ Ntop-misc mailing list Ntop-misc () listgateway unipi it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Pfring crashes the kernel with white lists. Peter Bates (Jul 18)
- Re: Pfring crashes the kernel with white lists. Seth Hall (Jul 18)
- Re: [Ntop-misc] Pfring crashes the kernel with white lists. Alfredo Cardigliano (Jul 22)