Snort mailing list archives
Re: Flexresp problem
From: Erek Adams <erek () theadamsfamily net>
Date: Sun, 21 Apr 2002 12:00:47 -0700 (PDT)
On Sun, 21 Apr 2002, Tudor Panaitescu wrote:
libnet-1.0.2a-1snort is actually the rpm package for libnet. It is configured with --with-pf_packet=yes, nothing different from the normal compile. I also tried to recompile snort with libpcap-0.7.1 - the same behavior. The latest: recompiled from scratch and installed in this order: libpcap-0.7.1, libnet-1.0.2a, snort-1.8.6, snort-plain+flexresp-1.8.6. The same behavior.
Ok, remove the snort-plain+flexresp thing. Just use 1.8.6 and compile with --enable-flexresp. See if that makes a difference. *shudders* God I _HATE_ rpms, they make it so hard to troubleshoot things... And _NO_, I'm not trying to start a war. It's too early to have any drinks. :)
I tried also to enable debugging but it generates about 2 GB snort.debug file only when snort starts - filled up my /tmp fs - is it any way of configuring debug to dump only alert related messages ?
Yep. You can set the debug ENV variable and snort will log at different levels of debugging. I don't have all my notes on that right now, or I'd be more specific. Have a look in the source, IIRC it's documented fairly well there.
Conclusion: snort-1.8.6 resets connections if a rule is matched even if the rule doesn't say anything about any resp.
I'm sorry--I can't go with this. I'm using the same setup, except on Solaris 2.7 and I don't have any problems. We've got ~3.5k list members and only two people are having this issue, both with sparc debian. Law of averages points to something specific about ya'lls configs--machines, rpms, .conf, something.... Of course I could be as wrong as wrong can be. :)
The Nets are configured like this: var HOME_NET [a.b.c.d/e,f.g.h.i/j ...], var EXTERNAL_NET !$HOME_NET, var HTTP_SERVERS $HOME_NET etc. Any other thoughts folks ?
If you're watching a lot of traffic, run multi instances with single homenets. The current code runs a _lot_ faster watching a single net that multi ones. A lot less CPU cycles! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Segmentation fault (core dumped), (continued)
- Re: Segmentation fault (core dumped) Erek Adams (Apr 15)
- Re: Flexresp problem Erek Adams (Apr 15)
- Re: Flexresp problem Tudor Panaitescu (Apr 15)
- Re: Flexresp problem Erek Adams (Apr 15)
- Re: Flexresp problem Tudor Panaitescu (Apr 15)
- Re: Flexresp problem Tudor Panaitescu (Apr 20)
- Re: Flexresp problem Alwin Raymundo (Apr 20)
- Re: Flexresp problem Erek Adams (Apr 20)
- Re: Flexresp problem Tudor Panaitescu (Apr 20)
- Re: Flexresp problem Tudor Panaitescu (Apr 21)
- Re: Flexresp problem Erek Adams (Apr 21)