Re: Snort 2.9.1.2 exits on file upload

[Sudarshan Raghavan <sudarshan.t.raghavan () gmail com>]

Hi Russ,

My answers are inline. Thanks for the help.

Regards,
Sudarshan

On Thu, Feb 2, 2012 at 9:00 PM, Russ Combs <rcombs () sourcefire com> wrote:
> On Thu, Feb 2, 2012 at 9:09 AM, Sudarshan Raghavan
> <sudarshan.t.raghavan () gmail com> wrote:
> > I can see in the 2.8.5 sources that ipq_read error does not result in
> > snort exiting. It calls ipq_perror and continues to read. Is this an
> > ok behaviour to go back to. It is not ideal but having snort die is
> > not the best solution either. Can I get rid of the break in
> > PacketLoop?
>
>
> What version of the DAQ tarball and IPQ DAQ (./snort --daq-list) are you
> using?  That should have been fixed a while back.

I am using ipq and nfq
Available DAQ modules:
nfq(v6): live inline multi
ipq(v5): live inline multi

> Assuming you have the latest, if you are only running IPQ updating snort.c
> is an option.  If you might run other DAQs, including pcap, suggest making
> the change in the IPQ DAQ module itself (daq_ipq.c).

I am not using pcap. I am using snort 2.9.1.2. Can I copy snort.c from
2.9.2 sources? Unfortunately I cannot move to 2.9.2 at this point in
time.

> Also, it would be helpful if you could send the specific error so that can
> be ignored.

The error that I am seeing is ""Can't acquire (-1) - ipq_daq_acquire:
ipq_read=-1 error Failed to receive netlink message". On another
system that has more memory and a higher rmem and wmem, the same test
works just fine. I am not sure if these two config settings make any
difference.


> > On Thu, Feb 2, 2012 at 7:18 PM, Sudarshan Raghavan
> > <sudarshan.t.raghavan () gmail com> wrote:
> > > Do I have to increase some buffer size? Can the -1 error from ipq_read
> > > be ignored? I am seeing this error every time I try to upload a 60MB
> > > file over HTTP.
> > >
> > > Regards,
> > > Sudarshan
> > >
> > > On Thu, Feb 2, 2012 at 7:05 PM, Sudarshan Raghavan
> > > <sudarshan.t.raghavan () gmail com> wrote:
> > > > Snort Version: 2.9.1.2 IPv6 GRE
> > > > libpcap: 0.8.3
> > > > pcre: 7.0 18-Dec-2006
> > > > zlib: 1.2.3
> > > > Linux Kernel: 2.6.37.3 (32 bit)
> > > >
> > > > We are snort exit when trying a http file upload with this error
> > > > "Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to
> > > > receive netlink message". Has anyone seen this error message before?
> > > >
> > > > Regards,
> > > > Sudarshan
> >
> >
> > ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!