FreeBSD and alert_unixsock

[Daniel Merritt <dmerritt () gmail com>]

Having encountered the same problems that several others reported using
alert_unixsock and FreeBSD, I thought I'd report the solution here so that
it's on record. FreeBSD has default datagram buffer sizes too low for
alert_unixsock datagrams, which cases sendto(...) to silently fail. The
solution is:

   1. To apply the (very small) patch attached, which uses setsockopt to
   adjust the send buffer size of of the socket.
   2. To adjust net.local.dgram.recvspace to something > 65k (100000 works
   well enough) by adding the appropriate line to /etc/sysctl.conf or using
   the sysctl tool after booting.

The analogous problem exists in barnyard2 on FreeBSD, and other operating
systems may also be effected. If the attached patch does not interfere with
alert_unixsock on other operating systems, it may be worth integrating into
the next release.

Daniel

Attachment: alert_unixsock.patch
Description:

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!