Snort mailing list archives
Re: Snort 2.9.1.2 exits on file upload
From: Sudarshan Raghavan <sudarshan.t.raghavan () gmail com>
Date: Thu, 2 Feb 2012 22:43:04 +0530
I made the change to snort.c and it seems to be working ok. Index: snort.c =================================================================== --- snort.c (revision 148039) +++ snort.c (working copy) @@ -2820,7 +2820,8 @@ if ( !ScReadMode() || !PQ_Next() ) { /* If not read-mode or no next pcap, we're done */ - break; + //break; + continue; } } /* Check for any pending signals when no packets are read*/ Is this likely to affect nfq? I also checked the 2.9.2 source tree and I don't PacketLoop continuing if DAQ_Acquire fails with an error. I assume it must have been fixed in a different way. Regards, Sudarshan On Thu, Feb 2, 2012 at 10:08 PM, Sudarshan Raghavan <sudarshan.t.raghavan () gmail com> wrote:
Hi Russ, My answers are inline. Thanks for the help. Regards, Sudarshan On Thu, Feb 2, 2012 at 9:00 PM, Russ Combs <rcombs () sourcefire com> wrote:On Thu, Feb 2, 2012 at 9:09 AM, Sudarshan Raghavan <sudarshan.t.raghavan () gmail com> wrote:I can see in the 2.8.5 sources that ipq_read error does not result in snort exiting. It calls ipq_perror and continues to read. Is this an ok behaviour to go back to. It is not ideal but having snort die is not the best solution either. Can I get rid of the break in PacketLoop?What version of the DAQ tarball and IPQ DAQ (./snort --daq-list) are you using? That should have been fixed a while back.I am using ipq and nfq Available DAQ modules: nfq(v6): live inline multi ipq(v5): live inline multiAssuming you have the latest, if you are only running IPQ updating snort.c is an option. If you might run other DAQs, including pcap, suggest making the change in the IPQ DAQ module itself (daq_ipq.c).I am not using pcap. I am using snort 2.9.1.2. Can I copy snort.c from 2.9.2 sources? Unfortunately I cannot move to 2.9.2 at this point in time.Also, it would be helpful if you could send the specific error so that can be ignored.The error that I am seeing is ""Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to receive netlink message". On another system that has more memory and a higher rmem and wmem, the same test works just fine. I am not sure if these two config settings make any difference.On Thu, Feb 2, 2012 at 7:18 PM, Sudarshan Raghavan <sudarshan.t.raghavan () gmail com> wrote:Do I have to increase some buffer size? Can the -1 error from ipq_read be ignored? I am seeing this error every time I try to upload a 60MB file over HTTP. Regards, Sudarshan On Thu, Feb 2, 2012 at 7:05 PM, Sudarshan Raghavan <sudarshan.t.raghavan () gmail com> wrote:Snort Version: 2.9.1.2 IPv6 GRE libpcap: 0.8.3 pcre: 7.0 18-Dec-2006 zlib: 1.2.3 Linux Kernel: 2.6.37.3 (32 bit) We are snort exit when trying a http file upload with this error "Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to receive netlink message". Has anyone seen this error message before? Regards, Sudarshan------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort 2.9.1.2 exits on file upload Sudarshan Raghavan (Feb 02)
- Re: Snort 2.9.1.2 exits on file upload Sudarshan Raghavan (Feb 02)
- Re: Snort 2.9.1.2 exits on file upload Sudarshan Raghavan (Feb 02)
- Re: Snort 2.9.1.2 exits on file upload Russ Combs (Feb 02)
- Re: Snort 2.9.1.2 exits on file upload Sudarshan Raghavan (Feb 02)
- Re: Snort 2.9.1.2 exits on file upload Sudarshan Raghavan (Feb 02)
- Re: Snort 2.9.1.2 exits on file upload Sudarshan Raghavan (Feb 02)
- Re: Snort 2.9.1.2 exits on file upload Sudarshan Raghavan (Feb 02)