Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0

From: "Hui Cao (huica)" <huica () cisco com>
Date: Wed, 10 May 2017 13:12:41 +0000
My question is :

1.      What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?



Yes. You can set it to a higher number since it is configurable. Configure option is “shared_max_instances”. I think 
the default is 50.



2.      How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort output.



You have the output like this, it is a reader:


   Mapped shared management region of size 128 as a reader.
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880








From: 阔野嘹歌 <85358830 () qq com>
Date: Wednesday, May 10, 2017 at 12:54 AM
To: "Hui Cao (huica)" <huica () cisco com>, Snort-users <snort-users () lists sourceforge net>
Subject: 回复: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0

Thx hui.

I use the command as you give me:
./snort -G 0 -Q --process-all-events -c ../etc/snort.conf

 The following is the output of the Master snort:

.......
...
Reputation config:
    Reputation total memory usage: 0 bytes
    Reputation total entries loaded: 0, invalid: 0, re-defined: 0
    Memcap: 500 (Default) M bytes
    Scan local network: ENABLED
    Reputation priority:  whitelist(Default)
    Nested IP: both
    White action: unblack (Default)
    Shared memory supported, Update directory: /usr/reputation/iplists
    Shared memory refresh period: 60 (Default) seconds
    Shared memory max instances: 2
..........
......

Reload thread starting...
Reload thread started, thread 0xa44f1b40 (26006)
    Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a writer.
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
    Processing blacklist file /usr/reputation/iplists/black_list.blf
    Reputation entries loaded: 2, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
    Processing whitelist file /usr/reputation/iplists/white_list.wlf
    Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
Reputation Preprocessor shared memory summary:
    Reputation total memory usage: 329712 bytes
    Reputation total entries loaded: 2, invalid: 0, re-defined: 0
........
.....


Master snort looks work well.Next step ,I start a new snort instance as client .It looks not load share memory black 
list info,following line is my command:
./snort -G 1 -Q --process-all-events -c ../etc/snort.conf.smg.5.9

It output:

.......
.....
Reputation config:
    Reputation total memory usage: 0 bytes
    Reputation total entries loaded: 0, invalid: 0, re-defined: 0
    Memcap: 500 (Default) M bytes
    Scan local network: ENABLED
    Reputation priority:  whitelist(Default)
    Nested IP: both
    White action: unblack (Default)
    Shared memory supported, Update directory: /usr/reputation/iplists
    Shared memory refresh period: 60 (Default) seconds
    Shared memory max instances: 2

........
......
Reload thread starting...
Reload thread started, thread 0xa44a1b40 (26334)
    Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a reader.
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
..........
....

My question is :
1.What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?
2.How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort output.

------------------ 原始邮件 ------------------
发件人: "Hui Cao (huica)";<huica () cisco com>;
发送时间: 2017年5月9日(星期二) 晚上11:53
收件人: "阔野嘹歌"<85358830 () qq com>; "Snort-users"<snort-users () lists sourceforge net>;
主题: Re: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0

You should use command :

./snort -G 0 -Q --process-all-events -c ../etc/snort.conf

Only instance 0 will be a shared memory writer.

Best,
Hui.
On 5/9/17, 11:46 AM, "阔野嘹歌" <85358830 () qq com> wrote:

    sorry,Message attachments are not supported.
    Here is my snort.conf:


    # Reputation preprocessor. For more information see README.reputation
    preprocessor reputation: \
       memcap 500, \
       scan_local, \
    #   priority whitelist, \
       white unblack, \
       nested_ip both, \
    #   whitelist /usr/reputation/iplists/white_list.wlf, \
    #   blacklist /usr/reputation/iplists/black_list.blf, \
       shared_mem /usr/reputation/iplists, \
       shared_refresh 60









    Here is my black_list.blf:
    192.168.59.158/32
    192.168.59.128/32




    ------------------ 原始邮件 ------------------
    发件人: "85358830";<85358830 () qq com>;
    发送时间: 2017年5月9日(星期二) 晚上11:28
    收件人: "Snort-users"<snort-users () lists sourceforge net>;

    主题: [Snort-users] snort preprocessor reputation Shared memory loadentries always 0



    Good day to all! I'm using Snort 2.9.8.3 on a Debian 8.2 virtual machine.To test reputation share memory and 
control-socket.I'm follow Snort manual 2.2.20 shared memory support.step by step.but it looks not work well.


    My config file and whait/black list file in mail attachemnts.
    The following line is my start snort command:
    ./snort -G 1 -Q --process-all-events -c ../etc/snort.conf


    The following is the output of the snort:
    .......
    ...
    Reputation config:
        Reputation total memory usage: 0 bytes
        Reputation total entries loaded: 0, invalid: 0, re-defined: 0
        Memcap: 500 (Default) M bytes
        Scan local network: ENABLED
        Reputation priority:  whitelist(Default)
        Nested IP: both
        White action: unblack (Default)
        Shared memory supported, Update directory: /usr/reputation/iplists
        Shared memory refresh period: 60 (Default) seconds
        Shared memory max instances: 2

    +++++++++++++++++++++++++++++++++++++++++++++++++++
    Initializing rule chains...
    1 Snort rules read
        0 detection rules
        0 decoder rules
        1 preprocessor rules
    1 Option Chains linked into 1 Chain Headers
    0 Dynamic rules
    +++++++++++++++++++++++++++++++++++++++++++++++++++

    ..........
    .....


    nfq DAQ configured to inline.
    Reload thread starting...
    Reload thread started, thread 0xa443db40 (25579)
        Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
    Mapped shared management region of size 128 as a reader.

    ........
    .....


    It appears that the blacklist is not load into shared memory.why?
    who can tell me why?


    I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.

    I'm sorry my English is not good.sorry I am a novice.
    sorry.



    Can someone give me some help?

    Can the Chinese give me some help?in Chinese.

    I am a lonely self learner, if you can give me a little help , Thank you very much.
    Best regards to all!------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org! http://sdm.link/slashdot
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visit http://blog.snort.org to stay current on all the latest Snort news!
    ------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org! http://sdm.link/slashdot
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: