Re: FreeBSD and alert_unixsock

[Joel Esler <jesler () sourcefire com>]

On Aug 18, 2012, at 7:11 AM, Daniel Merritt <dmerritt () gmail com> wrote:

> Having encountered the same problems that several others reported using alert_unixsock and FreeBSD, I thought I'd 
> report the solution here so that it's on record. FreeBSD has default datagram buffer sizes too low for alert_unixsock 
> datagrams, which cases sendto(...) to silently fail. The solution is:
> To apply the (very small) patch attached, which uses setsockopt to adjust the send buffer size of of the socket.
> To adjust net.local.dgram.recvspace to something > 65k (100000 works well enough) by adding the appropriate line to 
> /etc/sysctl.conf or using the sysctl tool after booting.
> The analogous problem exists in barnyard2 on FreeBSD, and other operating systems may also be effected. If the 
> attached patch does not interfere with alert_unixsock on other operating systems, it may be worth integrating into 
> the next release.

Thanks Daniel, I've created a bug for our team.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!