Home page logo
/

snort logo Snort mailing list archives

Re: Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?]
From: Michael Altizer <xiche () verizon net>
Date: Fri, 22 Oct 2010 11:09:34 -0400

 On 10/21/2010 03:52 PM, Rich Graves wrote:
On Wed, Oct 20, 2010 at 5:06 PM, Michael Altizer <maltizer () sourcefire com <mailto:maltizer () sourcefire com>> wrote:


    I've attached an updated version of my previous patch which
    incorporates item 1.


On my box, this fixes snort -c. Thanks.

However, snort -Tc still fails if (snort -c + snort -Tc) buffers are > 49MB.

Using snort --daq pcap -Tc to test config/rule changes is an acceptable workaround for me, and probably better in most cases (unless you specifically want to test buffer memory allocation). But it either needs to be fixed or release-noted.

# snort -T -c /etc/snort/snort.conf
...
afpacket DAQ configured to passive.
Floating point exception
# echo $?
136


Thanks. This is in part due to the AFPacket DAQ module not being defensive enough, but the real root cause is Snort passing it an empty interface string in test mode when no interface is specified on the command line (this differs from normal mode where it uses pcap to find a default device). You can work around this by specifying an interface (-i) when running in test mode. There should be no difference between 49mb and > 49mb now.

snort --daq-dir /usr/local/lib64/daq --daq afpacket -T -c /root/snort.conf -i eth0

^ works fine on my CentOS 5.5 system.

-Michael
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault