Re: [Ntop-misc] Pfring crashes the kernel with white lists.

[Alfredo Cardigliano <cardigliano () ntop org>]

Hi Peter
first of all let me clarify that it is not true that "it will cause pfring to add a monotonically increasing number of 
WHITE_LIST pfring filters".
In fact by default kernel rules idle for more than 5 minutes (it is possible to tune this with --daq-var 
kernel-filters-idle-timeout=<seconds>) 
are automatically removed. Of course there can be an high number of rules if there is an high number of concurrent 
active flows.
Anyway we changed this in current svn, so the problem in no longer present. Please update and let us know.

Best Regards
Alfredo

On Jul 18, 2012, at 10:36 PM, Peter Bates wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all - and apologies for cross-posting.
>
> On 21/06/2012 00:58, livio Ricciulli wrote:
> > It looks like the ssl dynamic processor of the latest snort 
> > distributions causes the DAQ verdict to be WHITE_LIST for certain
> > ssl connections. This is perfectly ok if you are NOT using --daq
> > pfring. If you use --daq pfring with snort 2.9.2.x, it will cause
> > pfring to add a monotonically increasing number of WHITE_LIST
> > pfring filters in kernel memory causing memory exhaustion and
> > eventually a crash after a few hours/days/months depending on your
> > traffic rate. We have a pfring distribution that fixes this and
> > other problems (like supporting bpf filtering) at
> > http://www.metaflows.com/pfring/PF_RING.tgz
> >
> > The WHITE_LIST fix is very simple; basically, if the verdict from
> > the snort processing is WHITE_LIST, you set it to PASS instead in
> > daq_pfring.c.
> >
> > We will send this fixes to the Ntop folks as well..
>
> This bug hit me today with PF_RING from svn and Snort 2.9.2.3
> - - available RAM was exhausted over the course of a couple of hours and
> left me with a dead IDS (well, until I reboot it tomorrow).
>
> I'd appreciate if the Metaflows changes could make it into the current
> version of PF_RING and PF_RING DAQ - I presume there's no change in
> Snort 2.9.3 that will alter this behaviour.
>
> - -- 
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division     Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJQBx41AAoJELhVoVpEMS6R16wH/ic43tGW9TIQngMdLBxezlfL
> WIMhMPTrLI6CYzuacBdZ0VEHGppdyzNIg7tbubgbH2cHF6Ad69aZEKzE/g6pXLEh
> 4PFds/8oH7SwgWoglHcORm/xzU1PY0UKN+n80wQq9du8jtptPVCxTyg3ph0r4ZrE
> YCYShzYJHPY3nUkii+rNM9nrM/+MfDNaIASaJIqCbUuLU3sNcf7JjE0Tfrof/NLU
> +g5GaafaBHsKCWkcf+aivBLQ4MJt3gAJJdSseeQhYvdy8Sm6xMuuv4Rcw3yWwaPc
> HYvOWd4BndXP0Pje9USsNeZa2yiZtXjmpaItWHKI/rQ4+gQF21rznJ4yp5ygbV0=
> =ZIBf
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc () listgateway unipi it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!