Snort mailing list archives
Re: FreeBSD and alert_unixsock
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 21 Aug 2012 13:32:18 -0400
On Aug 18, 2012, at 7:11 AM, Daniel Merritt <dmerritt () gmail com> wrote:
Having encountered the same problems that several others reported using alert_unixsock and FreeBSD, I thought I'd report the solution here so that it's on record. FreeBSD has default datagram buffer sizes too low for alert_unixsock datagrams, which cases sendto(...) to silently fail. The solution is: To apply the (very small) patch attached, which uses setsockopt to adjust the send buffer size of of the socket. To adjust net.local.dgram.recvspace to something > 65k (100000 works well enough) by adding the appropriate line to /etc/sysctl.conf or using the sysctl tool after booting. The analogous problem exists in barnyard2 on FreeBSD, and other operating systems may also be effected. If the attached patch does not interfere with alert_unixsock on other operating systems, it may be worth integrating into the next release.
Thanks Daniel, I've created a bug for our team. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FreeBSD and alert_unixsock Daniel Merritt (Aug 18)
- Re: FreeBSD and alert_unixsock Joel Esler (Aug 21)