Snort mailing list archives

Pfring crashes the kernel with white lists.

From: livio Ricciulli <livio () metaflows com>
Date: Wed, 20 Jun 2012 16:58:12 -0700

It looks like the ssl dynamic processor of the latest snort 
distributions causes the DAQ verdict to be WHITE_LIST for certain ssl 
connections.
This is perfectly ok if you are NOT using --daq pfring.
If you use --daq pfring with snort 2.9.2.x, it will cause pfring to add 
a monotonically increasing number of WHITE_LIST pfring filters in
kernel memory causing memory exhaustion and eventually a crash after a 
few hours/days/months depending on your traffic rate. We have
a pfring distribution that fixes this and other problems (like 
supporting bpf filtering) at http://www.metaflows.com/pfring/PF_RING.tgz

The WHITE_LIST fix is very simple; basically, if the verdict from the 
snort processing is WHITE_LIST, you set it to PASS instead in daq_pfring.c.

We will send this fixes to the Ntop folks as well..

Livio.


On 06/20/2012 10:12 AM, Tran M. Thang wrote:

Hi,

Any one can help me to write snort rules for detecting "TCP Portscan and PortSweep" scan? I knew that snort has 
modules to detect types of scan. But i want to have custom rules that can use plugin snortsam to block types of scan.

Thanks

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort rule for TCP Portscan and PortSweep Tran M. Thang (Jun 20)
- Pfring crashes the kernel with white lists. livio Ricciulli (Jun 20)
  - Re: Pfring crashes the kernel with white lists. Peter Bates (Jun 22)
    - Re: Pfring crashes the kernel with white lists. Livio Ricciulli (Jun 22)