Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort+ : loging in afpacket mode

From: "Shravan Rangarajuvenkata \(shrarang\) via Snort-users" <snort-users () lists snort org>
Date: Mon, 24 Sep 2018 17:27:16 +0000
Snort creates one DAQ instance per-thread and each DAQ instance creates one packet socket. When fanout mode is used, 
each packet is sent to only one socket in the fanout group. When you set fanout_type to hash, all packets belonging to 
one flow are sent to one socket. Socket is selected based on the hash created for the flow. And the hash is a function 
of the network addresses of the flow. Please refer to “man packet” for more information regarding fanout options.

I am assuming when you were using fanout options, both the scp flows went to the same snort thread and therefore, you 
see only one alert file. When you were not using fanout options, each packet was being sent to all the snort threads 
and each thread was creating alerts. And thus, you had 4 alerts files with duplicate alerts.

To confirm the above, can you please provide us more information?

  1.  Were you seeing the same alerts in all 4 log files when you were not using fanout options?
  2.  Did you miss any alerts when you used the fanout options? You should not see any duplicate alerts when using 
fanout but all the unique alerts should still be generated.

Thanks,
Shravan

-------- Forwarded Message --------
Subject:

[Snort-users] Snort+ : loging in afpacket mode

Date:

Thu, 20 Sep 2018 20:46:03 +0300

From:

Meridoff via Snort-users <snort-users () lists snort org><mailto:snort-users () lists snort org>

Reply-To:

Meridoff <oagvozd () gmail com><mailto:oagvozd () gmail com>

To:

snort-users () lists snort org<mailto:snort-users () lists snort org>


Hello
I run 4 packet threads if afpacket tap mode in alert_fast mode.
I can see 4 log files (0..4_alert_fast.txt) which are the same - cause 4 daq threads run.

Now I set fanout_type to hash (and fanout_flag to rollover or defrag ) and I see that logging go to in only 1 file 
(e.g. 1_alert_fast.txt).

I test all this by one rule "tcp any any" and 2 scp process to generate traffic (2 Big file transfer in parallel)

How it (difference in number of log files that are writen) can be explained ?


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: