Snort mailing list archives
?????? ?????? ?????? ?????? snort preprocessor reputation Shared memory loadentries always 0
From: "????????" <85358830 () qq com>
Date: Fri, 12 May 2017 14:16:30 +0800
Thx hui.
When I use "snort_control" to control snort reputation preprocessor reload share memory white/black list,It looks not
work well.
I use following line:
./snort_control /usr/reputation/ 1361
When only one snort master process(It start use command: ./snort --cs-dir /usr/reputation/ -A console -G 0 -Q
--process-all-events -c ../etc/snort.conf),It looks work well.
When I use follwing command:
./snort_control /usr/reputation/ 1361
I saw snort master output:
...........
...
Commencing packet processing (pid=3344)
Decoding Raw IP4
Reputation Preprocessor: Instance 0 switched to segment_version 1
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1277952
Processing blacklist file /usr/reputation/iplists/black_list.blf
Reputation entries loaded: 6, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
Processing whitelist file /usr/reputation/iplists/white_list.wlf
Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
Reputation Preprocessor shared memory summary:
Reputation total memory usage: 330636 bytes
Reputation total entries loaded: 6, invalid: 0, re-defined: 0
Reputation Preprocessor: Received segment 0
Reputation Preprocessor: SFIPReputation.rt.0.0.1 is freed
Reputation Preprocessor: Instance 0 switched to segment_version 0
It worked!I'm very happy.
But when I start snort client process(It start use command: ./snort -A console -G 1 -Q --process-all-events -c
../etc/snort.conf.smg.5.9),There's something wrong with the program.
snort_control output:
root@localhost:~/code/snort/tools/control# ./snort_control /usr/reputation/ 1361
Response 0009 with code 0 and length 45
52 65 70 75 74 61 74 69 6F 6E 20 50 72 65 70 72 Reputati on Prepr
6F 63 65 73 73 6F 72 3A 20 4E 6F 20 73 65 67 6D ocessor: No segm
65 6E 74 73 20 72 65 63 65 69 76 65 64 ents rec eived
Response 0000 without data
I add IP(1.1.18.6/32) to my blacklist file(/usr/reputation/iplists/black_list.blf),then use command following:
root@localhost:~/code/snort/tools/control# ./snort_control /usr/reputation/ 1361
Hope both snort(master and client) can load my new black list.But I saw the output below:
root@localhost:~/code/snort/tools/control# ./snort_control /usr/reputation/ 1361
Response 0009 with code 0 and length 45
52 65 70 75 74 61 74 69 6F 6E 20 50 72 65 70 72 Reputati on Prepr
6F 63 65 73 73 6F 72 3A 20 4E 6F 20 73 65 67 6D ocessor: No segm
65 6E 74 73 20 72 65 63 65 69 76 65 64 ents rec eived
Response 0000 without data
Two snort(master and client) was no response.Why???
What is "No segments received" mean? I kown what mean is "Segmentation fault".
What should I do to make the two snort(master and client) get load share memory black list?
thank you very much indeed.
minggang su.
------------------ ???????? ------------------
??????: "Hui Cao (huica)";<huica () cisco com>;
????????: 2017??5??11??(??????) ????10:10
??????: "????????"<85358830 () qq com>; "Snort-users"<snort-users () lists sourceforge net>;
????: Re: ?????? ?????? [Snort-users] ?????? snort preprocessor reputation Shared memory loadentries always 0
The error message indicates the previous reload has not finished yet. You should see all the instances have
switched to new shared memory. You can issue reload command again after that.
Best,
Hui.
On 05/10/2017 10:44 PM, ???????? wrote:
Thx hui.
Thank you for taking the time to answer my questions.
Now My snort reputation looks work well.
I add IP(192.168.59.228) to file /usr/reputation/iplists/black_list.blf,Then start snort_control
use follwing command:
./snort_control /usr/reputation/ 1361
snort_control output :
Response 0009 with code 0 and length 45
52 65 70 75 74 61 74 69 6F 6E 20 50 72 65 70 72 Reputati on Prepr
6F 63 65 73 73 6F 72 3A 20 4E 6F 20 73 65 67 6D ocessor: No segm
65 6E 74 73 20 72 65 63 65 69 76 65 64 ents rec eived
Response 0000 without data
But snort master does not respond, and snort not be blaked the IP 192.168.59.128.
I noticed snort output(Previous output not now):
.........
.....
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is
1179648
Processing blacklist file /usr/reputation/iplists/black_list.blf
Reputation entries loaded: 3, invalid: 0, re-defined: 0 (from file
/usr/reputation/iplists/black_list.blf)
Processing whitelist file /usr/reputation/iplists/white_list.wlf
Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file
/usr/reputation/iplists/white_list.wlf)
Reputation Preprocessor shared memory summary:
Reputation total memory usage: 329820 bytes
Reputation total entries loaded: 3, invalid: 0, re-defined: 0
Reputation Preprocessor: Received segment 0
Reputation Preprocessor: Instance 0 switched to segment_version 0
But my blacklist file now has 4 IPs. (192.168.59.228 is new IP)It looks blacklist not reload.
My question is :
1.What should I do for geting load black list?
2.what is "1361" mean? How should I know what it means? I search snort source,but I can't undstand
it.following line is output:
root@localhost:~/code/snort# find.sh 1361
################## FIND BEGIN ##################
./src/dynamic-plugins/sf_engine/sfprimetable.c:210: 1361, /* 1361 */
./src/dynamic-plugins/sf_engine/sfprimetable.c:1558: 31357, /* 31361 */
./src/dynamic-plugins/sf_engine/sfprimetable.c:2228: 136189, /* 136192 */
./src/target-based/sf_attribute_table_parser.c:1693: 1359, 0, 1360, 0, 1361, 0,
1362, 0, 1363, 0,
./src/target-based/sf_attribute_table_parser.c:3452:
11358,11358,11359,11359,11360,11360,11361,11361,11362,11362,
./src/target-based/sf_attribute_table_parser.c:4283: 1353, 1355, 1357, 1359, 1361, 1363,
1365, 1367, 1369, 1371,
./src/target-based/sf_attribute_table_parser.c:5275: 1351, 1353, 1355, 1357, 1359, 1361,
1363, 1365, 1367, 1369,
./src/target-based/sf_attribute_table_parser.c:5976:
11358,11359,11360,11361,11362,11363,11364,11365,11366,11367,
./src/dynamic-preprocessors/include/sfprimetable.c:210: 1361, /* 1361 */
./src/dynamic-preprocessors/include/sfprimetable.c:1558: 31357, /* 31361 */
./src/dynamic-preprocessors/include/sfprimetable.c:2228: 136189, /* 136192 */
./src/sfutil/sfprimetable.c:210: 1361, /* 1361 */
./src/sfutil/sfprimetable.c:1558: 31357, /* 31361 */
./src/sfutil/sfprimetable.c:2228: 136189, /* 136192 */
################## FIND END ##################
Thanks.
minggang su
------------------ ???????? ------------------
??????: "Hui Cao (huica)";<huica () cisco com>;
????????: 2017??5??10??(??????) ????9:12
??????: "????????"<85358830 () qq com>; "Snort-users"<snort-users () lists sourceforge net>;
????: Re: ?????? [Snort-users] ?????? snort preprocessor reputation Shared memory loadentries
always 0
My question is :
1. What does 'Shared memory max instances: 2' mean? It mean I can only start to two
instances?
Yes. You can set it to a higher number since it is configurable. Configure option is
??shared_max_instances??. I think the default is 50.
2. How do I know that my snort client uses a shared blacklist?I can't get any infomation
from client snort output.
You have the output like this, it is a reader:
Mapped shared management region of size 128 as a reader.
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
From: ???????? <85358830 () qq com>
Date: Wednesday, May 10, 2017 at 12:54 AM
To: "Hui Cao (huica)" <huica () cisco com>, Snort-users <snort-users () lists
sourceforge net>
Subject: ?????? [Snort-users] ?????? snort preprocessor reputation
Shared memory loadentries always 0
Thx hui.
I use the command as you give me:
./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
The following is the output of the Master snort:
.......
...
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
..........
......
Reload thread starting...
Reload thread started, thread 0xa44f1b40 (26006)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a writer.
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is
1146880
Processing blacklist file /usr/reputation/iplists/black_list.blf
Reputation entries loaded: 2, invalid: 0, re-defined: 0 (from file
/usr/reputation/iplists/black_list.blf)
Processing whitelist file /usr/reputation/iplists/white_list.wlf
Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file
/usr/reputation/iplists/white_list.wlf)
Reputation Preprocessor shared memory summary:
Reputation total memory usage: 329712 bytes
Reputation total entries loaded: 2, invalid: 0, re-defined: 0
........
.....
Master snort looks work well.Next step ,I start a new snort instance as client .It looks
not load share memory black list info,following line is my command:
./snort -G 1 -Q --process-all-events -c ../etc/snort.conf.smg.5.9
It output:
.......
.....
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
........
......
Reload thread starting...
Reload thread started, thread 0xa44a1b40 (26334)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a reader.
Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is
1146880
..........
....
My question is :
1.What does 'Shared memory max instances: 2' mean? It mean I can only start to two
instances?
2.How do I know that my snort client uses a shared blacklist?I can't get any infomation from
client snort output.
------------------ ???????? ------------------
??????: "Hui Cao (huica)";<huica () cisco com>;
????????: 2017??5??9??(??????) ????11:53
??????: "????????"<85358830 () qq com>; "Snort-users"<snort-users () lists sourceforge net>;
????: Re: [Snort-users] ?????? snort preprocessor reputation Shared memory loadentries always 0
You should use command :
./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
Only instance 0 will be a shared memory writer.
Best,
Hui.
On 5/9/17, 11:46 AM, "????????" <85358830 () qq com> wrote:
sorry,Message attachments are not supported.
Here is my snort.conf:
# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
scan_local, \
# priority whitelist, \
white unblack, \
nested_ip both, \
# whitelist /usr/reputation/iplists/white_list.wlf, \
# blacklist /usr/reputation/iplists/black_list.blf, \
shared_mem /usr/reputation/iplists, \
shared_refresh 60
Here is my black_list.blf:
192.168.59.158/32
192.168.59.128/32
------------------ ???????? ------------------
??????: "85358830";<85358830 () qq com>;
????????: 2017??5??9??(??????) ????11:28
??????: "Snort-users"<snort-users () lists sourceforge net>;
????: [Snort-users] snort preprocessor reputation Shared memory
loadentries always 0
Good day to all! I'm using Snort 2.9.8.3 on a Debian 8.2 virtual machine.To test
reputation share memory and control-socket.I'm follow Snort manual 2.2.20 shared memory
support.step by step.but it looks not work well.
My config file and whait/black list file in mail attachemnts.
The following line is my start snort command:
./snort -G 1 -Q --process-all-events -c ../etc/snort.conf
The following is the output of the snort:
.......
...
Reputation config:
Reputation total memory usage: 0 bytes
Reputation total entries loaded: 0, invalid: 0, re-defined: 0
Memcap: 500 (Default) M bytes
Scan local network: ENABLED
Reputation priority: whitelist(Default)
Nested IP: both
White action: unblack (Default)
Shared memory supported, Update directory: /usr/reputation/iplists
Shared memory refresh period: 60 (Default) seconds
Shared memory max instances: 2
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
0 detection rules
0 decoder rules
1 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
..........
.....
nfq DAQ configured to inline.
Reload thread starting...
Reload thread started, thread 0xa443db40 (25579)
Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
Mapped shared management region of size 128 as a reader.
........
.....
It appears that the blacklist is not load into shared memory.why?
who can tell me why?
I am searching for a long time on net. But no use. Please help or try to give some
ideas how to achieve this.
I'm sorry my English is not good.sorry I am a novice.
sorry.
Can someone give me some help?
Can the Chinese give me some help?in Chinese.
I am a lonely self learner, if you can give me a little help , Thank you very much.
Best regards to all!------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ?????? ?????? ?????? ?????? snort preprocessor reputation Shared memory loadentries always 0 ???????? (May 11)
- Re: 回复: 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0 Hui Cao (huica) (May 12)
- ?????? ?????? ?????? ?????? ?????? snort preprocessor reputation Shared memory loadentries always 0 ???????? (May 12)
- Re: 回复: 回复: 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0 Hui Cao (huica) (May 12)
- ?????? ?????? ?????? ?????? ?????? ?????? snort preprocessor reputation Shared memory loadentries always 0 ???????? (May 12)
- Re: 回复: 回复: 回复: 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0 Hui Cao (huica) (May 12)
- ?????? ?????? ?????? ?????? ?????? snort preprocessor reputation Shared memory loadentries always 0 ???????? (May 12)
- Re: 回复: 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0 Hui Cao (huica) (May 12)