Snort mailing list archives
Re: Snort+ : loging in afpacket mode
From: "Shravan Rangarajuvenkata \(shrarang\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 24 Sep 2018 17:27:16 +0000
Snort creates one DAQ instance per-thread and each DAQ instance creates one packet socket. When fanout mode is used, each packet is sent to only one socket in the fanout group. When you set fanout_type to hash, all packets belonging to one flow are sent to one socket. Socket is selected based on the hash created for the flow. And the hash is a function of the network addresses of the flow. Please refer to “man packet” for more information regarding fanout options. I am assuming when you were using fanout options, both the scp flows went to the same snort thread and therefore, you see only one alert file. When you were not using fanout options, each packet was being sent to all the snort threads and each thread was creating alerts. And thus, you had 4 alerts files with duplicate alerts. To confirm the above, can you please provide us more information? 1. Were you seeing the same alerts in all 4 log files when you were not using fanout options? 2. Did you miss any alerts when you used the fanout options? You should not see any duplicate alerts when using fanout but all the unique alerts should still be generated. Thanks, Shravan -------- Forwarded Message -------- Subject: [Snort-users] Snort+ : loging in afpacket mode Date: Thu, 20 Sep 2018 20:46:03 +0300 From: Meridoff via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org> Reply-To: Meridoff <oagvozd () gmail com><mailto:oagvozd () gmail com> To: snort-users () lists snort org<mailto:snort-users () lists snort org> Hello I run 4 packet threads if afpacket tap mode in alert_fast mode. I can see 4 log files (0..4_alert_fast.txt) which are the same - cause 4 daq threads run. Now I set fanout_type to hash (and fanout_flag to rollover or defrag ) and I see that logging go to in only 1 file (e.g. 1_alert_fast.txt). I test all this by one rule "tcp any any" and 2 scp process to generate traffic (2 Big file transfer in parallel) How it (difference in number of log files that are writen) can be explained ?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort+ : loging in afpacket mode Meridoff via Snort-users (Sep 20)
- Message not available
- Message not available
- Message not available
- Re: Snort+ : loging in afpacket mode Shravan Rangarajuvenkata (shrarang) via Snort-users (Sep 24)
- Message not available
- Message not available