Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 3 ipfw multithreading errors

From: "Shravan Rangarajuvenkata \(shrarang\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 26 Oct 2018 12:23:27 +0000
I need to correct myself. There is a way to configure DAQ for multiple threads. Please refer to snort3 documentation 
section – DAQ Configuration and Modules 
(https://snort-org-site.s3.amazonaws.com/production/release_files/files/000/008/467/original/snort_manual.html?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20181026%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20181026T121327Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=258b175bb2db79ccedb96163163183895a59011ffbeae677e310a46faa2cede2#_configuration_7).

You will need to configure a separate port for each thread.

Also, please note that snort3 doesn’t yet support load balancing internally.

Thanks,
Shravan

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of "Shravan Rangarajuvenkata (shrarang) via 
Snort-devel" <snort-devel () lists snort org>
Reply-To: "Shravan Rangarajuvenkata (shrarang)" <shrarang () cisco com>
Date: Thursday, October 25, 2018 at 12:54 PM
To: "yunus.can () arjeta com tr" <yunus.can () arjeta com tr>, "snort-devel () lists snort org" <snort-devel () lists 
snort org>
Subject: Re: [Snort-devel] Snort 3 ipfw multithreading errors

Unfortunately, this is a bug in snort3 in multi-threaded mode. We will fix this issue ASAP. Thanks for reporting it!

Thanks,
Shravan

From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of "yunus.can () arjeta com tr" <yunus.can () 
arjeta com tr>
Date: Wednesday, October 24, 2018 at 4:09 AM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] Snort 3 ipfw multithreading errors

Hello,

I use snort3 run option with multithreading and daq module ipfw and port 5000 but I cant start snort3
I was see error this

ipfw DAQ configured to passive.
Commencing packet processing
++ [0]
++ [1]
++ [2]
Can't start DAQ (-1) - ipfw_daq_start: can't bind divert socket (Address already in use)

Analyzer: Failed to start DAQ instance
Can't start DAQ (-1) - ipfw_daq_start: can't bind divert socket (Address already in use)

Analyzer: Failed to start DAQ instance
-- [0]
-- [2]


Can you help with this error ?


Freebsd Versions :

FreeBSD snort 11.2-RELEASE-p4



Snort Versions :
   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0 (Build 247) FreeBSD
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.0.5
           Using OpenSSL 1.0.2p  14 Aug 2018
           Using libpcap version 1.9.0-PRE-GIT
           Using PCRE version 8.41 2017-07-05
           Using ZLIB version 1.2.11
           Using FlatBuffers 1.8.0
           Using Hyperscan version 4.7.0 2018-10-03
           Using LZMA version 5.2.3



Run Command :

/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --daq ipfw --daq-var port=5000 -l /var/log/snort -k 
none -A alert_full -z 3

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: