Re: [PATCHES] Fixes for daq_nfq

[Russ Combs <rcombs () sourcefire com>]

Have you tested with DAQ 0.3?

On Tue, Nov 2, 2010 at 4:31 PM, Kelvie Wong <kwong () wurldtech com> wrote:

>  On November 2, 2010 01:08:36 pm Russ Combs wrote:
>
> > Too bad NFQ is so buggy.  Any idea when this fails and when not?  Is it
>
> > certain traffic?
>
> >
>
> I am not quite sure. Mainly I have been testing this with a nmap scan of
> the TCP ports; this also happens for a storm of TCP packets as well. I
> hadn't tested this against other types of traffic, prior to apply this
> patch.
>
> > If this happens always or never, for a given run of Snort, the patch is
>
> > reasonable.  If it is every other packet, we may be better off just
> adding
>
> > the smallest delta possible to the timestamp to keep them sequenced.
>
> For the type of traffic I had tested (I placed printf statements inside
> there), it was every single packet, and not just some of them.
>
>  > The freeze scenario should be eliminated with daq 0.3.  Can you verify
>
> > that?
>
> I do not have a test bench set up right now, but I may be able to get a few
> tests in later after I have exhausted my other committments.
>
> >
>
> > The early exit is a little different.  Does this indicate a permanent
>
> > error?  Can you elaborate on the conditions?
>
> >
>
> > The errors were presumbed permanent and Snort exits to avoid consuming
>
> > excessive resources.
>
> I have attached a packet capture that can reproduce it every single time on
> one of our hardware configurations -- I have not tested it elsewhere.
> Packets are still queued normally from NFQ after nfq_handle_packet returns
> an error.
>
> Snort exits at around the 1000th packet.
>
> As I have mentioned earlier, I don't have a test environment set up
> currently (nor the time to set it up), so I'm terribly sorry I can't be of
> more help right now.
>
> --
>
> Kelvie Wong
>
> Software Developer
>
> Wurldtech Security Technologies Inc.
>
> Suite 1680 - 401 West Georgia St.
>
> Vancouver, B.C. V6B 5A1
>
> Canada
>
> Phone: + 1.604.669.6674
>
> Toll Free: + 1.877.369.6674
>
> Fax: + 1.604.669.2902
>
> Website: http://www.wurldtech.com/
>
> "ARE YOU ACHILLES CERTIFIED?"
>
> This message is intended only for the named recipients. This message
>
> may contain information that is privileged, confidential or exempt
>
> from disclosure under applicable law. Any dissemination or copying
>
> of this message by anyone other than a named recipient is strictly
>
> prohibited. If you are not a named recipient or an employee or agent
>
> responsible for delivering this message to a named recipient, please
>
> notify us immediately by telephone at 604-669-6674, and permanently
>
> destroy this message and any copies you may have. Email may not be
>
> secure unless properly encrypted.
------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel