Snort mailing list archives
Re: Pfring crashes the kernel with white lists.
From: Livio Ricciulli <livio () metaflows com>
Date: Fri, 22 Jun 2012 10:20:08 -0700
With pfring 5.1, if you specified a bpf filter and -daq -pfring, the daq will not open and Snort will not even start. We recently fixed it so that it works now. If you have bpf already specified and it runs, I am assuming you are using a later version where they fixed the bug (although probably still vulnerable to the white listing issue below). So I think you are ok. A more interesting thing for you (since you run 10G I think) is to run the filter in hardware rather than software. I am working on a script that translates a subset of the bpf expressions to hardware rules for the Intel 82599 Ethernet controller (supported by pfring). With the hardware rules, the filtered packets are never seen by the kernel so there is less CPU utilization and (conceivably) with the right filters, you could run up to line rate (28 Mpps full duplex). Let me know if you are interested in beta testing the hardware filtering (if you use the 82599). Livio. On 6/22/2012 5:41 AM, Peter Bates wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all On 21/06/2012 00:58, livio Ricciulli wrote:If you use --daq pfring with snort 2.9.2.x, it will cause pfring to add a monotonically increasing number of WHITE_LIST pfring filters in kernel memory causing memory exhaustion and eventually a crash after a few hours/days/months depending on your traffic rate. We have a pfring distribution that fixes this and other problems (like supporting bpf filtering) at http://www.metaflows.com/pfring/PF_RING.tgzI'm running this combination and am keen to avoid this bug so will take a look. Can you explain 'supporting bpf filtering' a bit more? I have config bpf_file: /etc/snort/bpf (equivalent to -F) and according to PF_RING the BPF is being applied: BPF Filtering : Enabled Or is the difference in Snort applying the BPF filter after PF_RING and not before? - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP5GfkAAoJELhVoVpEMS6RJpkIAI+sV9h/iLwehWfTve5tpbbF 8LibR+YRcc8rAO+ic2ul9t560YgyfALgl/czjQXrkXdzhsL/f5S6RSvtoCxK5vH+ DLw2SZRPcaJ4GRfgE/AFTQIEUkM+cDYWTmHzkpGWokzlpOPFeDeNwzFopUxc+16o FOkx4N88MRzI+8NNYeby9ev35E9GwpskY8bzKzdGNPOB4+5zX1uCW15IJguMWpho s6fP6HbFnGhNgJN4buzxzn0vT776Uf+RglzatBTLhdf8rBCz5i96Ne1wsj6WfpoD dA7XHs4hOwZa+7hA85ODfyz3/oelPLxp5ezDe3jWcRH/Q9VeFVYZttALHYtCwjQ= =4pYV -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Livio Ricciulli MetaFlows Inc. (408) 835-5005 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort rule for TCP Portscan and PortSweep Tran M. Thang (Jun 20)
- Pfring crashes the kernel with white lists. livio Ricciulli (Jun 20)
- Re: Pfring crashes the kernel with white lists. Peter Bates (Jun 22)
- Re: Pfring crashes the kernel with white lists. Livio Ricciulli (Jun 22)
- Re: Pfring crashes the kernel with white lists. Peter Bates (Jun 22)
- Pfring crashes the kernel with white lists. livio Ricciulli (Jun 20)