Snort mailing list archives
Re: snort suddenly not capturing packets
From: Ben Jacobs-Swearingen <bjsdaiyu () gmail com>
Date: Thu, 9 Jan 2014 16:50:22 -0500
OK, thank you guys for your help. Carter was right, the problem was an incompatibility between recent libpcap and snort. I was able to duplicate the problem in an archlinux VM also running snort (use it for testing rules) with the newest version of libpcap. I had done a sys update before restarting snort: that'll learn me to forget about seemingly unrelated events (HA!). For Raspberry Pi (version B), with its limited memory, there is additional wrinkle of having to shrink the packet buffer or Snort will ungraciously die shortly after finishing startup, so snort -c /usr/local/etc/snort/snort.conf --daq afpacket -i eth0 --daq-var buffer_size_mb=64 Will work and process packets. I'm not sure whether it won't die sometime later, (and not sure what implications smaller packet buffer has for performance) but at least now I know what the problem is. Hopefully whatever has gone wrong with libpcap update (other applications seem to be having this issue, now I know what to Google) will get fixed. Thanks again everyone. On Thu, Jan 9, 2014 at 9:02 AM, Carter Waxman (cwaxman) <cwaxman () cisco com>wrote:
Hello Ben, Just out of curiosity, are you using the pcap DAQ? What version of libpcap do you have installed? I have experienced the same issue with Arch x64 and it seems to be tied to a versioning issue (libpcap 1.5.1-1 and above breaks in my case). Try either using the afpacket DAQ (add —daq afpacket to the command line) or downgrading to libpcap 1.4.0 (here is a link for convenience: http://www.tcpdump.org/release/libpcap-1.4.0.tar.gz ). Let me know how that works, Carter From: Ben Jacobs-Swearingen <bjsdaiyu () gmail com> Date: Wednesday, January 8, 2014 7:39 PM To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge netSubject: [Snort-users] snort suddenly not capturing packets Hello: I recently restarted snort on an ArchLinux ARM (Raspberry Pi) sensor with new rules (and a slightly modified snort.conf) ; the post-reboot snort will launch without explicit errors but appears not to be listening to any interfaces on the sensor and I am unable to figure out why. Snort had been working correctly for months prior to this change. The sensor has two interfaces, eth0 and eth1; mirrored traffic (for snort to process) is being sent to eth0 (which is up and running though it does not have a configured IP address), while eth1 has a configured address on an admin segment. prior to changing the rules and rebooting snort, snort was listening to and correctly processing traffic on eth0. - "tcpdump -i eth0" works just fine, it sees all mirrored traffic - "snort -dev -l . -i eth0" makes it to the "listening" stage but appears to not pick up any of the traffic i generate across the interface; again, tcpdump sees this traffic just fine. "snort -dev ..." also does not work when I set it to listen on eth1 (tcpdump works there as well). - "snort -r <bad.pcap> -c .../snort.conf" with <bad.pcap> containing traffic I want flagged DOES work correctly: the traffic is processed according to the rules, alerts are correct and sent to the correct repository. I suspect my changes to snort.conf might have introduced a problem that I simply am not seeing so have attached the conf file for examination (but am confused in that case why "snort -r" is working since it's using the same conf file). Alternately, I have attached an strace in case something with the interface setup somehow got screwed up (as suggest by the fact that snort replay is working). I see in strace there are some errors with setsockopt(...) which might be more relevant to the capturing issue; any idea what might be causing those, assuming that those aren't par for the course? The only similar posts I could find on this topic discuss various issues with DAQ; I don't see how those might apply in my case since the installation was working for months prior to today. Thanks for any help.
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort suddenly not capturing packets Ben Jacobs-Swearingen (Jan 09)
- Re: snort suddenly not capturing packets Carter Waxman (cwaxman) (Jan 09)
- Re: snort suddenly not capturing packets Ben Jacobs-Swearingen (Jan 14)
- Re: snort suddenly not capturing packets Carter Waxman (cwaxman) (Jan 09)