mailing list archives
Re: [PATCHES] Fixes for daq_nfq
From: Kelvie Wong <kwong () wurldtech com>
Date: Tue, 2 Nov 2010 13:31:21 -0700
On November 2, 2010 01:08:36 pm Russ Combs wrote:
Too bad NFQ is so buggy. Any idea when this fails and when not? Is it
I am not quite sure. Mainly I have been testing this with a nmap scan of the
TCP ports; this also happens for a storm of TCP packets as well. I hadn't
tested this against other types of traffic, prior to apply this patch.
If this happens always or never, for a given run of Snort, the patch is
reasonable. If it is every other packet, we may be better off just adding
the smallest delta possible to the timestamp to keep them sequenced.
For the type of traffic I had tested (I placed printf statements inside
there), it was every single packet, and not just some of them.
The freeze scenario should be eliminated with daq 0.3. Can you verify
I do not have a test bench set up right now, but I may be able to get a few
tests in later after I have exhausted my other committments.
The early exit is a little different. Does this indicate a permanent
error? Can you elaborate on the conditions?
The errors were presumbed permanent and Snort exits to avoid consuming
I have attached a packet capture that can reproduce it every single time on
one of our hardware configurations -- I have not tested it elsewhere. Packets
are still queued normally from NFQ after nfq_handle_packet returns an error.
Snort exits at around the 1000th packet.
As I have mentioned earlier, I don't have a test environment set up currently
(nor the time to set it up), so I'm terribly sorry I can't be of more help
Wurldtech Security Technologies Inc.
Suite 1680 - 401 West Georgia St.
Vancouver, B.C. V6B 5A1
Phone: + 1.604.669.6674
Toll Free: + 1.877.369.6674
Fax: + 1.604.669.2902
"ARE YOU ACHILLES CERTIFIED?"
This message is intended only for the named recipients. This message
may contain information that is privileged, confidential or exempt
from disclosure under applicable law. Any dissemination or copying
of this message by anyone other than a named recipient is strictly
prohibited. If you are not a named recipient or an employee or agent
responsible for delivering this message to a named recipient, please
notify us immediately by telephone at 604-669-6674, and permanently
destroy this message and any copies you may have. Email may not be
secure unless properly encrypted.
Clean pcap of subtest 1013 that breaks snort.pcap.gz
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
Snort-devel mailing list
Snort-devel () lists sourceforge net