Re: Snort 2.9.1.2 exits on file upload

[Russ Combs <rcombs () sourcefire com>]

On Thu, Feb 2, 2012 at 9:09 AM, Sudarshan Raghavan <
sudarshan.t.raghavan () gmail com> wrote:

> I can see in the 2.8.5 sources that ipq_read error does not result in
> snort exiting. It calls ipq_perror and continues to read. Is this an
> ok behaviour to go back to. It is not ideal but having snort die is
> not the best solution either. Can I get rid of the break in
> PacketLoop?

What version of the DAQ tarball and IPQ DAQ (./snort --daq-list) are you
using?  That should have been fixed a while back.

Assuming you have the latest, if you are only running IPQ updating snort.c
is an option.  If you might run other DAQs, including pcap, suggest making
the change in the IPQ DAQ module itself (daq_ipq.c).

Also, it would be helpful if you could send the specific error so that can
be ignored.


> On Thu, Feb 2, 2012 at 7:18 PM, Sudarshan Raghavan
> <sudarshan.t.raghavan () gmail com> wrote:
> > Do I have to increase some buffer size? Can the -1 error from ipq_read
> > be ignored? I am seeing this error every time I try to upload a 60MB
> > file over HTTP.
> >
> > Regards,
> > Sudarshan
> >
> > On Thu, Feb 2, 2012 at 7:05 PM, Sudarshan Raghavan
> > <sudarshan.t.raghavan () gmail com> wrote:
> > > Snort Version: 2.9.1.2 IPv6 GRE
> > > libpcap: 0.8.3
> > > pcre: 7.0 18-Dec-2006
> > > zlib: 1.2.3
> > > Linux Kernel: 2.6.37.3 (32 bit)
> > >
> > > We are snort exit when trying a http file upload with this error
> > > "Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to
> > > receive netlink message". Has anyone seen this error message before?
> > >
> > > Regards,
> > > Sudarshan
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!