Snort mailing list archives
Re: Pfring crashes the kernel with white lists.
From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 18 Jul 2012 21:36:05 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all - and apologies for cross-posting. On 21/06/2012 00:58, livio Ricciulli wrote:
It looks like the ssl dynamic processor of the latest snort distributions causes the DAQ verdict to be WHITE_LIST for certain ssl connections. This is perfectly ok if you are NOT using --daq pfring. If you use --daq pfring with snort 2.9.2.x, it will cause pfring to add a monotonically increasing number of WHITE_LIST pfring filters in kernel memory causing memory exhaustion and eventually a crash after a few hours/days/months depending on your traffic rate. We have a pfring distribution that fixes this and other problems (like supporting bpf filtering) at http://www.metaflows.com/pfring/PF_RING.tgz The WHITE_LIST fix is very simple; basically, if the verdict from the snort processing is WHITE_LIST, you set it to PASS instead in daq_pfring.c. We will send this fixes to the Ntop folks as well..
This bug hit me today with PF_RING from svn and Snort 2.9.2.3 - - available RAM was exhausted over the course of a couple of hours and left me with a dead IDS (well, until I reboot it tomorrow). I'd appreciate if the Metaflows changes could make it into the current version of PF_RING and PF_RING DAQ - I presume there's no change in Snort 2.9.3 that will alter this behaviour. - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQBx41AAoJELhVoVpEMS6R16wH/ic43tGW9TIQngMdLBxezlfL WIMhMPTrLI6CYzuacBdZ0VEHGppdyzNIg7tbubgbH2cHF6Ad69aZEKzE/g6pXLEh 4PFds/8oH7SwgWoglHcORm/xzU1PY0UKN+n80wQq9du8jtptPVCxTyg3ph0r4ZrE YCYShzYJHPY3nUkii+rNM9nrM/+MfDNaIASaJIqCbUuLU3sNcf7JjE0Tfrof/NLU +g5GaafaBHsKCWkcf+aivBLQ4MJt3gAJJdSseeQhYvdy8Sm6xMuuv4Rcw3yWwaPc HYvOWd4BndXP0Pje9USsNeZa2yiZtXjmpaItWHKI/rQ4+gQF21rznJ4yp5ygbV0= =ZIBf -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Pfring crashes the kernel with white lists. Peter Bates (Jul 18)
- Re: Pfring crashes the kernel with white lists. Seth Hall (Jul 18)
- Re: [Ntop-misc] Pfring crashes the kernel with white lists. Alfredo Cardigliano (Jul 22)