Snort mailing list archives

Re: Pfring crashes the kernel with white lists.

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 18 Jul 2012 21:36:05 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all - and apologies for cross-posting.

On 21/06/2012 00:58, livio Ricciulli wrote:

It looks like the ssl dynamic processor of the latest snort 
distributions causes the DAQ verdict to be WHITE_LIST for certain
ssl connections. This is perfectly ok if you are NOT using --daq
pfring. If you use --daq pfring with snort 2.9.2.x, it will cause
pfring to add a monotonically increasing number of WHITE_LIST
pfring filters in kernel memory causing memory exhaustion and
eventually a crash after a few hours/days/months depending on your
traffic rate. We have a pfring distribution that fixes this and
other problems (like supporting bpf filtering) at
http://www.metaflows.com/pfring/PF_RING.tgz

The WHITE_LIST fix is very simple; basically, if the verdict from
the snort processing is WHITE_LIST, you set it to PASS instead in
daq_pfring.c.

We will send this fixes to the Ntop folks as well..


This bug hit me today with PF_RING from svn and Snort 2.9.2.3
- - available RAM was exhausted over the course of a couple of hours and
left me with a dead IDS (well, until I reboot it tomorrow).

I'd appreciate if the Metaflows changes could make it into the current
version of PF_RING and PF_RING DAQ - I presume there's no change in
Snort 2.9.3 that will alter this behaviour.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division       Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQBx41AAoJELhVoVpEMS6R16wH/ic43tGW9TIQngMdLBxezlfL
WIMhMPTrLI6CYzuacBdZ0VEHGppdyzNIg7tbubgbH2cHF6Ad69aZEKzE/g6pXLEh
4PFds/8oH7SwgWoglHcORm/xzU1PY0UKN+n80wQq9du8jtptPVCxTyg3ph0r4ZrE
YCYShzYJHPY3nUkii+rNM9nrM/+MfDNaIASaJIqCbUuLU3sNcf7JjE0Tfrof/NLU
+g5GaafaBHsKCWkcf+aivBLQ4MJt3gAJJdSseeQhYvdy8Sm6xMuuv4Rcw3yWwaPc
HYvOWd4BndXP0Pje9USsNeZa2yiZtXjmpaItWHKI/rQ4+gQF21rznJ4yp5ygbV0=
=ZIBf
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Pfring crashes the kernel with white lists. Peter Bates (Jul 18)
- Re: Pfring crashes the kernel with white lists. Seth Hall (Jul 18)
- Re: [Ntop-misc] Pfring crashes the kernel with white lists. Alfredo Cardigliano (Jul 22)