Snort mailing list archives
Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq
From: "Michael Altizer \(mialtize\) via Snort-users" <snort-users () lists snort org>
Date: Fri, 11 Oct 2019 02:40:05 +0000
If I had to guess, I'd say that nl_socket_recv() probably properly set EINTR while I was originally developing it and
something has changed. Anyway, having the check in the main loop is appropriate and matches the behavior of the other
DAQ modules. I've added it now; please try with the latest master branch from libdaq. Thanks for reporting.
On 10/10/19 5:34 AM, sofardware via Snort-users wrote:
Hi,
After my debuging , I found a direct but not basic reason:
In the function nfq_daq_msg_receive in libdaq-master\modules\nfq\daq_nfq.c, the interrupt processing need
nl_socket_recv() return EINTR. But there was no EINTR returned when reload interrupt happen.
But in pacap_daq_msg_receive and afpacket_daq_msg_receive, the interrupt processing is putted in while()
directly.
Now I add the interrupt processing in while() directly like that in pcap_daq_msg_receive,then reload_config
command works successfully.
But can you tell me if the above way for resolving the problem can lead to other problems??? and
secondly<https://www.baidu.com/link?url=DLH1s96E9ae2ibiWplYpGeimSy4Mjky2eBhUOAX-jfuMSJnKHOIj9pjUFrBWT5lZ__tCmlxuKMrYrQq6sTaMxSdINktZq_9a_s91SpmXV2O&wd=&eqid=f75c30f7000f550c000000025d9ef3f0>,
why the original processing need nl_socket_recv() return EINTR,and why it can not come out in fact??
=================
static unsigned nfq_daq_msg_receive(void *handle, const unsigned max_recv, const DAQ_Msg_t *msgs[], DAQ_RecvStatus
*rstat)
{
Nfq_Context_t *nfqc = (Nfq_Context_t *) handle;
unsigned idx = 0;
*rstat = DAQ_RSTAT_OK;
while (idx < max_recv)
{
/* Make sure that we have a packet descriptor available to populate. */
NfqPktDesc *desc = nfqc->pool.freelist;
if (!desc)
{
*rstat = DAQ_RSTAT_NOBUF;
break;
}
/* added by me for reload fail*/
if (nfqc->interrupted)
{
nfqc->interrupted = false;
*rstat = DAQ_RSTAT_INTERRUPTED;
break;
}
/* added by me for reload fail*/
ssize_t ret = nl_socket_recv(nfqc, desc->nlmsg_buf, nfqc->nlmsg_bufsize, idx == 0);
if (ret < 0)
{
if (errno == ENOBUFS)
{
nfqc->stats.hw_packets_dropped++;
continue;
}
else if (errno == EAGAIN || errno == EWOULDBLOCK)
*rstat = (idx == 0) ? DAQ_RSTAT_TIMEOUT : DAQ_RSTAT_WOULD_BLOCK;
else if (errno == EINTR) // the original processing
{
if (!nfqc->interrupted)
continue;
nfqc->interrupted = false;
*rstat = DAQ_RSTAT_INTERRUPTED;
}
======================================================================================================================================================
static unsigned nfq_daq_msg_receive(void *handle, const unsigned max_recv, const DAQ_Msg_t *msgs[], DAQ_RecvStatus
*rstat)
{
Nfq_Context_t *nfqc = (Nfq_Context_t *) handle;
unsigned idx = 0;
*rstat = DAQ_RSTAT_OK;
while (idx < max_recv)
{
/* Make sure that we have a packet descriptor available to populate. */
NfqPktDesc *desc = nfqc->pool.freelist;
if (!desc)
{
*rstat = DAQ_RSTAT_NOBUF;
break;
}
ssize_t ret = nl_socket_recv(nfqc, desc->nlmsg_buf, nfqc->nlmsg_bufsize, idx == 0);
if (ret < 0)
{
if (errno == ENOBUFS)
{
nfqc->stats.hw_packets_dropped++;
continue;
}
else if (errno == EAGAIN || errno == EWOULDBLOCK)
*rstat = (idx == 0) ? DAQ_RSTAT_TIMEOUT : DAQ_RSTAT_WOULD_BLOCK;
else if (errno == EINTR)
{
if (!nfqc->interrupted)
continue;
nfqc->interrupted = false;
*rstat = DAQ_RSTAT_INTERRUPTED;
}
else
{
SET_ERROR(nfqc->modinst, "%s: Socket receive failed: %zd - %s (%d)",
__func__, ret, strerror(errno), errno);
*rstat = DAQ_RSTAT_ERROR;
}
break;
}
errno = 0;
ret = mnl_cb_run(desc->nlmsg_buf, ret, 0, nfqc->portid, process_message_cb, desc);
if (ret < 0)
{
SET_ERROR(nfqc->modinst, "%s: Netlink message processing failed: %zd - %s (%d)",
__func__, ret, strerror(errno), errno);
*rstat = DAQ_RSTAT_ERROR;
break;
}
/* Increment the module instance's packet counter. */
nfqc->stats.packets_received++;
/* Last, but not least, extract this descriptor from the free list and
place the message in the return vector. */
nfqc->pool.freelist = desc->next;
desc->next = NULL;
nfqc->pool.info.available--;
msgs[idx] = &desc->msg;
idx++;
}
==========================================================================
static unsigned pcap_daq_msg_receive(void *handle, const unsigned max_recv, const DAQ_Msg_t *msgs[], DAQ_RecvStatus
*rstat)
{
struct pcap_pkthdr *pcaphdr;
Pcap_Context_t *pc = (Pcap_Context_t *) handle;
const u_char *data;
unsigned idx;
*rstat = DAQ_RSTAT_OK;
for (idx = 0; idx < max_recv; idx++)
{
/* Check to see if the receive has been canceled. If so, reset it and return appropriately. */
if (pc->interrupted)
{
pc->interrupted = false;
*rstat = DAQ_RSTAT_INTERRUPTED;
break;
}
/* If there is a pending descriptor from the readback timeout feature, check if it's ready
to be realized. If it is, finish receiving it and carry on. */
if (pc->pending_desc)
{
struct timeval delta;
timersub(&pc->pending_desc->pkthdr.ts, &pc->last_recv, &delta);
if (timercmp(&delta, &pc->timeout_tv, >))
{
timeradd(&pc->last_recv, &pc->timeout_tv, &pc->last_recv);
*rstat = DAQ_RSTAT_TIMEOUT;
break;
}
pc->last_recv = pc->pending_desc->pkthdr.ts;
pc->pool.info.available--;
msgs[idx] = &pc->pending_desc->msg;
pc->stats.packets_received++;
pc->pending_desc = NULL;
continue;
}
/* Make sure that we have a packet descriptor available to populate *before*
calling into libpcap. */
PcapPktDesc *desc = pc->pool.freelist;
if (!desc)
{
*rstat = DAQ_RSTAT_NOBUF;
break;
}
/* When dealing with a live interface, try to get the first packet in non-blocking mode.
If there's nothing to receive, switch to blocking mode. */
int pcap_rval;
if (pc->mode != DAQ_MODE_READ_FILE && idx == 0)
{
if (set_nonblocking(pc, true) != DAQ_SUCCESS)
{
*rstat = DAQ_RSTAT_ERROR;
break;
}
pcap_rval = pcap_next_ex(pc->handle, &pcaphdr, &data);
if (pcap_rval == 0)
{
if (set_nonblocking(pc, false) != DAQ_SUCCESS)
{
*rstat = DAQ_RSTAT_ERROR;
break;
}
pcap_rval = pcap_next_ex(pc->handle, &pcaphdr, &data);
}
}
else
pcap_rval = pcap_next_ex(pc->handle, &pcaphdr, &data);
if (pcap_rval <= 0)
{
if (pcap_rval == 0)
*rstat = (idx == 0) ? DAQ_RSTAT_TIMEOUT : DAQ_RSTAT_WOULD_BLOCK;
else if (pcap_rval == -1)
{
SET_ERROR(pc->modinst, "%s", pcap_geterr(pc->handle));
*rstat = DAQ_RSTAT_ERROR;
}
else if (pcap_rval == -2)
{
/* LibPCAP brilliantly decides to return -2 if it hit EOF in readback OR pcap_breakloop()
was called. Let's try to differentiate by checking to see if we asked for a break. */
if (!pc->interrupted && pc->mode == DAQ_MODE_READ_FILE)
{
/* Insert a final timeout receive status when readback timeout mode is enabled. */
if (pc->readback_timeout && !pc->final_readback_timeout)
{
pc->final_readback_timeout = true;
*rstat = DAQ_RSTAT_TIMEOUT;
}
else
*rstat = DAQ_RSTAT_EOF;
}
else
{
pc->interrupted = false;
*rstat = DAQ_RSTAT_INTERRUPTED;
}
}
break;
}
/* Update hw packet counters to make sure we detect counter overflow */
if (++pc->hwupdate_count == DAQ_PCAP_ROLLOVER_LIM)
update_hw_stats(pc);
/* Populate the packet descriptor */
int caplen = (pcaphdr->caplen > pc->snaplen) ? pc->snaplen : pcaphdr->caplen;
memcpy(desc->data, data, caplen);
/* Next, set up the DAQ message. Most fields are prepopulated and unchanging. */
DAQ_Msg_t *msg = &desc->msg;
msg->data_len = caplen;
/* Then, set up the DAQ packet header. */
DAQ_PktHdr_t *pkthdr = &desc->pkthdr;
pkthdr->pktlen = pcaphdr->len;
pkthdr->ts.tv_sec = pcaphdr->ts.tv_sec;
pkthdr->ts.tv_usec = pcaphdr->ts.tv_usec;
/* Last, but not least, extract this descriptor from the free list and
place the message in the return vector. */
pc->pool.freelist = desc->next;
desc->next = NULL;
/* If the readback timeout feature is enabled, check to see if the configured timeout has
elapsed between the previous packet and this one. If it has, store the descriptor for
later without modifying counters and return the timeout receive status. */
if (pc->mode == DAQ_MODE_READ_FILE && pc->readback_timeout && pc->timeout > 0)
{
if (timerisset(&pc->last_recv) && timercmp(&pkthdr->ts, &pc->last_recv, >))
{
struct timeval delta;
timersub(&pkthdr->ts, &pc->last_recv, &delta);
if (timercmp(&delta, &pc->timeout_tv, >))
{
pc->pending_desc = desc;
timeradd(&pc->last_recv, &pc->timeout_tv, &pc->last_recv);
*rstat = DAQ_RSTAT_TIMEOUT;
break;
}
}
pc->last_recv = pkthdr->ts;
}
pc->pool.info.available--;
msgs[idx] = &desc->msg;
/* Finally, increment the module instance's packet counter. */
pc->stats.packets_received++;
}
return idx;
}
At 2019-10-10 10:37:54, "Russ Combs (rucombs)" <rucombs () cisco com><mailto:rucombs () cisco com> wrote:
Does Ctrl+C exit normally with the NFQ DAQ without reload?
From: sofardware <sofardware () 126 com><mailto:sofardware () 126 com>
Date: Wednesday, October 9, 2019 at 10:13 PM
To: "Tom Peters (thopeter)" <thopeter () cisco com><mailto:thopeter () cisco com>
Cc: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com><mailto:shrarang () cisco com>, "Snort-users () lists
snort org"<mailto:Snort-users () lists snort org> <Snort-users () lists snort org><mailto:Snort-users () lists snort
org>, "Russ Combs (rucombs)" <rucombs () cisco com><mailto:rucombs () cisco com>
Subject: Help please!!! snort_build261 can not reload config successfully with daq in nfq
Hi,
I am anxious to resolve this problem. Please give me some help. Thank you very much.
I have read README file in snort3 and DAQ, and did not found useful info for this problem.
-----------------------
Hi,
I need help for this:
snort_build261 can not reload config successfully with daq in nfq, and also can not be exit by pressing keys
“Ctrl+C”.
But it works well with daq of not nfq.
[root@localhost build]# /usr/local/snort261/bin/snort --daq-dir /usr/local/lib/daq/ --daq nfq -i 1 -c
/usr/local/snort261/etc/snort/snort.lua --shell -j
--------------------------------------------------
o")~ Snort++ 3.0.0-261
--------------------------------------------------
Loading /usr/local/snort261/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
ssh
host_cache
pop
binder
stream_tcp
network
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
search_engine
ips
dce_smb
latency
wizard
appid
file_id
ftp_data
hosts
smtp
port_scan
dce_http_server
modbus
dce_tcp
telnet
host_tracker
ssl
sip
rpc_decode
http2_inspect
http_inspect
back_orifice
stream_user
stream_ip
classifications
dnp3
active
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
dns
dce_udp
imap
process
stream_file
Finished /usr/local/snort261/etc/snort/snort.lua:
--------------------------------------------------
/usr/local/lib/daq//daq_afpacket.so: Module API version (0x10007) differs from expected version (0x30001)
/usr/local/lib/daq//daq_afpacket.so: Failed to register DAQ module.
/usr/local/lib/daq//daq_ipfw.so: Module API version (0x10007) differs from expected version (0x30001)
/usr/local/lib/daq//daq_ipfw.so: Failed to register DAQ module.
nfq DAQ configured to passive.
Commencing packet processing
Entering command shell
o")~
++ [0] 1
reload_config('/usr/local/snort261/etc/snort/snort.lua')
.. reloading configuration
Loading /usr/local/snort261/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
ssh
host_cache
pop
binder
stream_tcp
network
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
search_engine
ips
dce_smb
latency
wizard
appid
file_id
ftp_data
hosts
smtp
port_scan
dce_http_server
modbus
dce_tcp
telnet
host_tracker
ssl
sip
rpc_decode
http2_inspect
http_inspect
back_orifice
stream_user
stream_ip
classifications
dnp3
active
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
dns
dce_udp
imap
process
stream_file
Finished /usr/local/snort261/etc/snort/snort.lua:
0 hosts loaded
reload_config('/usr/local/snort261/etc/snort/snort.lua')
== reload pending; retry
^C** caught int signal
== stopping
^C** caught int signal
== stopping
^C** caught int signal
== stopping
^C** caught int signal
== stopping
==============================================================================no nfq================
[root@localhost build]# /usr/local/snort261/bin/snort --daq-dir /usr/local/lib/daq/ -i eth0 -c
/usr/local/snort261/etc/snort/snort.lua --shell -j
--------------------------------------------------
o")~ Snort++ 3.0.0-261
--------------------------------------------------
Loading /usr/local/snort261/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
ssh
host_cache
pop
binder
stream_tcp
network
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
search_engine
ips
dce_smb
latency
wizard
appid
file_id
ftp_data
hosts
smtp
port_scan
dce_http_server
modbus
dce_tcp
telnet
host_tracker
ssl
sip
rpc_decode
http2_inspect
http_inspect
back_orifice
stream_user
stream_ip
classifications
dnp3
active
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
dns
dce_udp
imap
process
stream_file
Finished /usr/local/snort261/etc/snort/snort.lua:
--------------------------------------------------
/usr/local/lib/daq//daq_afpacket.so: Module API version (0x10007) differs from expected version (0x30001)
/usr/local/lib/daq//daq_afpacket.so: Failed to register DAQ module.
/usr/local/lib/daq//daq_ipfw.so: Module API version (0x10007) differs from expected version (0x30001)
/usr/local/lib/daq//daq_ipfw.so: Failed to register DAQ module.
pcap DAQ configured to passive.
Commencing packet processing
Entering command shell
o")~
++ [0] eth0
reload_config('/usr/local/snort261/etc/snort/snort.lua')
.. reloading configuration
Loading /usr/local/snort261/etc/snort/snort.lua:
Loading snort_defaults.lua:
Finished snort_defaults.lua:
Loading file_magic.lua:
Finished file_magic.lua:
ssh
host_cache
pop
binder
stream_tcp
network
gtp_inspect
packets
dce_http_proxy
stream_icmp
normalizer
ftp_server
stream_udp
search_engine
ips
dce_smb
latency
wizard
appid
file_id
ftp_data
hosts
smtp
port_scan
dce_http_server
modbus
dce_tcp
telnet
host_tracker
ssl
sip
rpc_decode
http2_inspect
http_inspect
back_orifice
stream_user
stream_ip
classifications
dnp3
active
ftp_client
daq
decode
alerts
stream
references
arp_spoof
output
dns
dce_udp
imap
process
stream_file
Finished /usr/local/snort261/etc/snort/snort.lua:
0 hosts loaded
.. swapping configuration
== reload complete
o")~
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 sofardware via Snort-users (Oct 07)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 sofardware via Snort-users (Oct 08)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 sofardware via Snort-users (Oct 08)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 Michael Altizer (mialtize) via Snort-users (Oct 09)
- Help!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Russ Combs (rucombs) via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 09)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq sofardware via Snort-users (Oct 10)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Michael Altizer (mialtize) via Snort-users (Oct 10)
- Re: Help please!!! snort_build261 can not reload config successfully with daq in nfq Michael Altizer (mialtize) via Snort-users (Oct 11)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 sofardware via Snort-users (Oct 08)
- new Help please!!! snort_build261 appid can not identify http sofardware via Snort-users (Oct 12)
- Help! An error about "reject" action with build261 sofardware via Snort-users (Oct 16)
- Re: Help! An error about "reject" action with build261 Meridoff via Snort-users (Oct 16)
- Re: Help! An error about "reject" action with build261 sofardware via Snort-users (Oct 16)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 sofardware via Snort-users (Oct 08)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 sofardware via Snort-users (Oct 10)
- Re: snort3_build261 cannot work with nfq Re:Re: Help! A critical error in appid, but not occur every time。 Michael Altizer (mialtize) via Snort-users (Oct 11)