Snort mailing list archives
Re: Snort 2.9.5 / PFRing
From: "Welters, Jon (LARC-B703)[LITES]" <jonathan.a.welters () nasa gov>
Date: Mon, 26 Aug 2013 20:44:28 +0000
All, I went ahead and redid the below. With the newest release of 2.9.5 and with PF Ring 5.6.0. I'm starting snort with the following options: /usr/local/bin/snort -c /etc/snort/snort.conf -A console -y -i eth4 --daq-dir /usr/local/lib/daq/ --daq pfring --daq-var clusterid=20 --pid-path=/tmp/snort0 --daq-var bindcpu=0 -l /var/log/snort/logs/0 --create-pidfile --pid-path=/var/run/snort/0 --daq-mode passive In production there's a script that deals with managing the multiple snort and barnyard processes. We've gone through many upgrades without issue, this jump just seems to be causing some headaches. It's odd, because I do get data: Snort ran for 0 days 0 hours 16 minutes 45 seconds Aug 26 15:12:10 IDS1 snort[20442]: Pkts/min: 0 Aug 26 15:12:10 IDS1 snort[20442]: Pkts/sec: 0 Aug 26 15:12:10 IDS1 snort[20442]: =============================================================================== Aug 26 15:12:10 IDS1 snort[20442]: Packet I/O Totals: Aug 26 15:12:10 IDS1 snort[20442]: Received: 0 Aug 26 15:12:10 IDS1 snort[20442]: Analyzed: 0 ( 0.000%) Aug 26 15:12:10 IDS1 snort[20442]: Dropped: 18140239 (100.000%) Aug 26 15:12:10 IDS1 snort[20442]: Filtered: 0 ( 0.000%) Aug 26 15:12:10 IDS1 snort[20442]: Outstanding: 0 ( 0.000%) Aug 26 15:12:10 IDS1 snort[20442]: Injected: 0 Aug 26 15:12:10 IDS1 snort[20442]: =============================================================================== Aug 26 15:12:10 IDS1 snort[20442]: Breakdown by protocol (includes rebuilt packets): PFRing is obviously doing something, Snort just isn't "accepting" the data. This is not behavior I've seen before. When I start Snort with the script I've always used I do see multiple processes running consuming resources and created unified2 files. No data ever goes into the files though, given that snort seems to be dropping 100% of the packets. It's like Snort is seeing the data but refusing to accept it. Any ideas ? Thank You and Sincerely, Jon Welters From: Russ Combs [mailto:rcombs () sourcefire com] Sent: Monday, August 05, 2013 10:30 AM To: Welters, Jon (LARC-B703)[LITES] Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort 2.9.5 / PFRing On Thu, Jul 25, 2013 at 8:50 PM, Welters, Jon (LARC-B703)[LITES] <jonathan.a.welters () nasa gov<mailto:jonathan.a.welters () nasa gov>> wrote: All, I've been running snort with pfring for some time now successfully and haven't had many problems. Yesterday I compiled Snort 2.9.5 on our test box using the same flag I always have -prefix=/usr/local/snort-2.9.5 then I started snort as usual and it sees packets flowing through and drops 100%. Since we retain the old installations and just repoint a symlink I went ahead and pointed back to the old release, which worked fine. I then went ahead and compiled the newest PFRing, tested with 2.9.5 to find that it still wasn't working. Switched back to 2.9.4 with the same configuration and it worked. The only thing that changed was the compiled snort, pfring remained the same I double checked the config log and in 2.9.4 I did not add any flags other then the prefix. Has anyone else experienced this sort of issue ? Which PF_RING DAQ version do you have? There was an incompatibility with 2.9.5 Snort fixed with the 5.6.0 PF_RING available here: http://sourceforge.net/projects/ntop/files/PF_RING/. - Jon ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.5 / PFRing Welters, Jon (LARC-B703)[LITES] (Aug 05)
- Re: Snort 2.9.5 / PFRing Russ Combs (Aug 05)
- Re: Snort 2.9.5 / PFRing Welters, Jon (LARC-B703)[LITES] (Aug 26)
- Re: Snort 2.9.5 / PFRing Welters, Jon (LARC-B703)[LITES] (Aug 26)
- Re: Snort 2.9.5 / PFRing Peter Bates (Aug 27)
- Re: Snort 2.9.5 / PFRing Welters, Jon (LARC-B703)[LITES] (Aug 26)
- Re: Snort 2.9.5 / PFRing Russ Combs (Aug 05)