Snort mailing list archives
Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?]
From: Michael Altizer <xiche () verizon net>
Date: Fri, 22 Oct 2010 11:09:34 -0400
On 10/21/2010 03:52 PM, Rich Graves wrote:
On Wed, Oct 20, 2010 at 5:06 PM, Michael Altizer <maltizer () sourcefire com <mailto:maltizer () sourcefire com>> wrote:Thanks. This is in part due to the AFPacket DAQ module not being defensive enough, but the real root cause is Snort passing it an empty interface string in test mode when no interface is specified on the command line (this differs from normal mode where it uses pcap to find a default device). You can work around this by specifying an interface (-i) when running in test mode. There should be no difference between 49mb and > 49mb now.I've attached an updated version of my previous patch which incorporates item 1. On my box, this fixes snort -c. Thanks.However, snort -Tc still fails if (snort -c + snort -Tc) buffers are > 49MB.Using snort --daq pcap -Tc to test config/rule changes is an acceptable workaround for me, and probably better in most cases (unless you specifically want to test buffer memory allocation). But it either needs to be fixed or release-noted.# snort -T -c /etc/snort/snort.conf ... afpacket DAQ configured to passive. Floating point exception # echo $? 136
snort --daq-dir /usr/local/lib64/daq --daq afpacket -T -c /root/snort.conf -i eth0
^ works fine on my CentOS 5.5 system. -Michael
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort 2.9, RHEL 5 and afpacket DAQ, (continued)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Mike Lococo (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ beenph (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Jeff Kell (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Rich Graves (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Michael Altizer (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Russ Combs (Oct 20)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Rich Graves (Oct 21)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Michael Altizer (Oct 22)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Ralf Spenneberg (Oct 21)
- Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?] Jason Haar (Oct 20)