Re: snort suddenly not capturing packets

[Ben Jacobs-Swearingen <bjsdaiyu () gmail com>]

OK, thank you guys for your help. Carter was right, the problem was an
incompatibility between recent libpcap and snort. I was able to duplicate
the problem in an archlinux VM also running snort (use it for testing
rules) with the newest version of libpcap. I had done a sys update before
restarting snort: that'll learn me to forget about seemingly unrelated
events (HA!).

For Raspberry Pi (version B), with its limited memory, there is additional
wrinkle of having to shrink the packet buffer or Snort will ungraciously
die shortly after finishing startup, so

 snort -c /usr/local/etc/snort/snort.conf --daq afpacket -i eth0 --daq-var
buffer_size_mb=64

Will work and process packets.  I'm not sure whether it won't die sometime
later, (and not sure what implications smaller packet buffer has for
performance) but at least now I know what the problem is.  Hopefully
whatever has gone wrong with libpcap update (other applications seem to be
having this issue, now I know what to Google) will get fixed.

Thanks again everyone.


On Thu, Jan 9, 2014 at 9:02 AM, Carter Waxman (cwaxman)
<cwaxman () cisco com>wrote:

>  Hello Ben,
>
>  Just out of curiosity, are you using the pcap DAQ? What version of
> libpcap do you have installed? I have experienced the same issue with Arch
> x64 and it seems to be tied to a versioning issue (libpcap 1.5.1-1 and
> above breaks in my case). Try either using the afpacket DAQ (add —daq
> afpacket to the command line) or downgrading to libpcap 1.4.0 (here is a
> link for convenience: http://www.tcpdump.org/release/libpcap-1.4.0.tar.gz
> ).
>
>  Let me know how that works,
> Carter
>
>   From: Ben Jacobs-Swearingen <bjsdaiyu () gmail com>
> Date: Wednesday, January 8, 2014 7:39 PM
> To: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net
> >
> Subject: [Snort-users] snort suddenly not capturing packets
>
>   Hello:
>
>  I recently restarted snort  on an ArchLinux ARM (Raspberry Pi) sensor
> with new rules (and a slightly modified snort.conf) ; the post-reboot snort
> will launch without explicit errors but appears not to be listening to any
> interfaces on the sensor and I am unable to figure out why.  Snort had been
> working correctly for months prior to this change.
>
>  The sensor has two interfaces, eth0 and eth1; mirrored traffic (for
> snort to process) is being sent to eth0 (which is up and running though it
> does not have a configured IP address), while eth1 has a configured address
> on an admin segment. prior to changing the rules and rebooting snort, snort
> was listening to and correctly processing traffic on eth0.
>
>  -  "tcpdump -i eth0" works just fine, it sees all mirrored traffic
>
>  - "snort -dev -l . -i eth0" makes it to the "listening" stage but
> appears to not pick up any of the traffic i generate across the interface;
> again, tcpdump sees this traffic just fine.  "snort -dev ..."  also does
> not work when I set it to listen on eth1 (tcpdump works there as well).
>
>  - "snort -r <bad.pcap> -c .../snort.conf" with <bad.pcap> containing
> traffic I want flagged DOES work correctly: the traffic is processed
> according to the rules, alerts are correct and sent to the correct
> repository.
>
>  I suspect my changes to snort.conf might have introduced a problem that
> I simply am not seeing so have attached the conf file for examination (but
> am confused in that case why "snort -r" is working since it's using the
> same conf file).
>
>  Alternately, I have attached an strace in case something with the
> interface setup somehow got screwed up (as suggest by the fact that snort
> replay is working). I see in strace there are some errors with
> setsockopt(...) which might be more relevant to the capturing issue; any
> idea what might be causing those, assuming that those aren't par for the
> course?
>
>  The only similar posts I could find on this topic discuss various issues
> with DAQ; I don't see how those might apply in my case since the
> installation was working for months prior to today.
>
>  Thanks for any help.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!