Home page logo
/

snort logo Snort mailing list archives

Re: [PATCHES] Fixes for daq_nfq
From: Kelvie Wong <kwong () wurldtech com>
Date: Tue, 2 Nov 2010 13:31:21 -0700

On November 2, 2010 01:08:36 pm Russ Combs wrote:
Too bad NFQ is so buggy.  Any idea when this fails and when not?  Is it
certain traffic?


I am not quite sure.  Mainly I have been testing this with a nmap scan of the 
TCP ports; this also happens for a storm of TCP packets as well.  I hadn't 
tested this against other types of traffic, prior to apply this patch.

If this happens always or never, for a given run of Snort, the patch is
reasonable.  If it is every other packet, we may be better off just adding
the smallest delta possible to the timestamp to keep them sequenced.

For the type of traffic I had tested (I placed printf statements inside 
there), it was every single packet, and not just some of them.
 
The freeze scenario should be eliminated with daq 0.3.  Can you verify
that?

I do not have a test bench set up right now, but I may be able to get a few 
tests in later after I have exhausted my other committments.


The early exit is a little different.  Does this indicate a permanent
error?  Can you elaborate on the conditions?

The errors were presumbed permanent and Snort exits to avoid consuming
excessive resources.

I have attached a packet capture that can reproduce it every single time on 
one of our hardware configurations -- I have not tested it elsewhere.  Packets 
are still queued normally from NFQ after nfq_handle_packet returns an error.

Snort exits at around the 1000th packet.

As I have mentioned earlier, I don't have a test environment set up currently 
(nor the time to set it up), so I'm terribly sorry I can't be of more help 
right now.

-- 
Kelvie Wong
Software Developer

Wurldtech Security Technologies Inc.
Suite 1680 - 401 West Georgia St.
Vancouver, B.C.  V6B 5A1
Canada

Phone:       + 1.604.669.6674
Toll Free:   + 1.877.369.6674
Fax:         + 1.604.669.2902
Website:    http://www.wurldtech.com/

"ARE YOU ACHILLES CERTIFIED?"

This message is intended only for the named recipients. This message
may contain information that is privileged, confidential or exempt
from disclosure under applicable law. Any dissemination or copying
of this message by anyone other than a named recipient is strictly
prohibited. If you are not a named recipient or an employee or agent
responsible for delivering this message to a named recipient, please
notify us immediately by telephone at 604-669-6674, and permanently
destroy this message and any copies you may have. Email may not be
secure unless properly encrypted.

Attachment: Clean pcap of subtest 1013 that breaks snort.pcap.gz
Description:

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault