Snort mailing list archives
Re: [PATCHES] Fixes for daq_nfq
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 9 Dec 2010 12:33:19 -0500
Have you tested with DAQ 0.3? On Tue, Nov 2, 2010 at 4:31 PM, Kelvie Wong <kwong () wurldtech com> wrote:
On November 2, 2010 01:08:36 pm Russ Combs wrote:Too bad NFQ is so buggy. Any idea when this fails and when not? Is itcertain traffic?I am not quite sure. Mainly I have been testing this with a nmap scan of the TCP ports; this also happens for a storm of TCP packets as well. I hadn't tested this against other types of traffic, prior to apply this patch.If this happens always or never, for a given run of Snort, the patch isreasonable. If it is every other packet, we may be better off justaddingthe smallest delta possible to the timestamp to keep them sequenced.For the type of traffic I had tested (I placed printf statements inside there), it was every single packet, and not just some of them. > The freeze scenario should be eliminated with daq 0.3. Can you verifythat?I do not have a test bench set up right now, but I may be able to get a few tests in later after I have exhausted my other committments.The early exit is a little different. Does this indicate a permanenterror? Can you elaborate on the conditions?The errors were presumbed permanent and Snort exits to avoid consumingexcessive resources.I have attached a packet capture that can reproduce it every single time on one of our hardware configurations -- I have not tested it elsewhere. Packets are still queued normally from NFQ after nfq_handle_packet returns an error. Snort exits at around the 1000th packet. As I have mentioned earlier, I don't have a test environment set up currently (nor the time to set it up), so I'm terribly sorry I can't be of more help right now. -- Kelvie Wong Software Developer Wurldtech Security Technologies Inc. Suite 1680 - 401 West Georgia St. Vancouver, B.C. V6B 5A1 Canada Phone: + 1.604.669.6674 Toll Free: + 1.877.369.6674 Fax: + 1.604.669.2902 Website: http://www.wurldtech.com/ "ARE YOU ACHILLES CERTIFIED?" This message is intended only for the named recipients. This message may contain information that is privileged, confidential or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately by telephone at 604-669-6674, and permanently destroy this message and any copies you may have. Email may not be secure unless properly encrypted.
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [PATCHES] Fixes for daq_nfq Kelvie Wong (Oct 25)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Oct 25)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Nov 02)
- Re: [PATCHES] Fixes for daq_nfq Kelvie Wong (Nov 02)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Dec 09)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Nov 02)
- Re: [PATCHES] Fixes for daq_nfq Russ Combs (Oct 25)