Snort mailing list archives
?????? ?????? snort preprocessor reputation Shared memory loadentries always 0
From: "????????" <85358830 () qq com>
Date: Wed, 10 May 2017 12:54:35 +0800
Thx hui.
I use the command as you give me:
./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
The following is the output of the Master snort:
.......
...
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
..........
......
Reload thread starting...
Reload thread started, thread 0xa44f1b40 (26006)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a writer.
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
Processing blacklist file /usr/reputation/iplists/black_list.blf
Reputation entries loaded: 2, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
Processing whitelist file /usr/reputation/iplists/white_list.wlf
Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
Reputation Preprocessor shared memory summary:
Reputation total memory usage: 329712 bytes
Reputation total entries loaded: 2, invalid: 0, re-defined: 0
........
.....
Master snort looks work well.Next step ,I start a new snort instance as client .It looks not load share memory black
list info,following line is my command:
./snort -G 1 -Q --process-all-events -c ../etc/snort.conf.smg.5.9
It output:
.......
.....
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
........
......
Reload thread starting...
Reload thread started, thread 0xa44a1b40 (26334)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a reader.
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
..........
....
My question is :
1.What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?
2.How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort output.
------------------ ???????? ------------------
??????: "Hui Cao (huica)";<huica () cisco com>;
????????: 2017??5??9??(??????) ????11:53
??????: "????????"<85358830 () qq com>; "Snort-users"<snort-users () lists sourceforge net>;
????: Re: [Snort-users] ?????? snort preprocessor reputation Shared memory loadentries always 0
You should use command :
./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
Only instance 0 will be a shared memory writer.
Best,
Hui.
On 5/9/17, 11:46 AM, "????????" <85358830 () qq com> wrote:
sorry,Message attachments are not supported.
Here is my snort.conf:
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
scan_local, \
# priority whitelist, \
white unblack, \
nested_ip both, \
# whitelist /usr/reputation/iplists/white_list.wlf, \
# blacklist /usr/reputation/iplists/black_list.blf, \
shared_mem /usr/reputation/iplists, \
shared_refresh 60
Here is my black_list.blf:
192.168.59.158/32
192.168.59.128/32
------------------ ???????? ------------------
??????: "85358830";<85358830 () qq com>;
????????: 2017??5??9??(??????) ????11:28
??????: "Snort-users"<snort-users () lists sourceforge net>;
????: [Snort-users] snort preprocessor reputation Shared memory loadentries always 0
Good day to all! I'm using Snort 2.9.8.3 on a Debian 8.2 virtual machine.To test reputation share memory and
control-socket.I'm follow Snort manual 2.2.20 shared memory support.step by step.but it looks not work well.
My config file and whait/black list file in mail attachemnts.
The following line is my start snort command:
./snort -G 1 -Q --process-all-events -c ../etc/snort.conf
The following is the output of the snort:
.......
...
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
0 detection rules
0 decoder rules
1 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
..........
.....
nfq DAQ configured to inline.
Reload thread starting...
Reload thread started, thread 0xa443db40 (25579)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a reader.
........
.....
It appears that the blacklist is not load into shared memory.why?
who can tell me why?
I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.
I'm sorry my English is not good.sorry I am a novice.
sorry.
Can someone give me some help?
Can the Chinese give me some help?in Chinese.
I am a lonely self learner, if you can give me a little help , Thank you very much.
Best regards to all!------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ?????? ?????? snort preprocessor reputation Shared memory loadentries always 0 ???????? (May 09)
- Re: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0 Hui Cao (huica) (May 10)