[Snort-devel] why libnet0 and libipq ?

justin joseph justinjoseph007 at ...2499...
Mon Aug 10 04:23:00 EDT 2009


Hi

Snort inline support is using libnet0 and libipq in snort-2.8.4.  Why
is it not using
libnet1(for injecting) and libnetfilter_queue( for queuing related
functions ).
On Ubuntu Hardy with 2.8.4 in inline mode I get "snort uses obsolete
(PF_INET,SOCK_PACKET)"
in syslog, its working though.

For Linux kernel the files that use libnet are (grep-ed for libnet.h inclusion):

./detection-plugins/sp_react.c
./detection-plugins/sp_respond.c
./inline.c

Apart form the WIN32 files.

On snort mailing-list (URL:
http://marc.info/?l=snort-users&m=114436610629372&w=2 )
It mentions libnet1 for instructions for building Snort 2.6-beta or
2.4.4.  Is that a mistake
or did snort migrate to libnet1 for sometime?

Is there any particular reason for not migrating to libnet1?

Also am getting too many "nf_conntrack: table full, dropping packet." in syslog
does this mean the kernel is dropping packets when snort is run in in-line mode.
Could this be because of using deprecated library?

IMHO this issue is probably the reason why in Debian and Ubuntu snort in-line
mode is not supported.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433775
https://bugs.launchpad.net/ubuntu/+source/snort/+bug/466

Are these right questions or am I just confused?

Would it be nice(better performance?? ) if someone migrated libipq and libnet0
to libnetfilter_queue and libnet1?  Or hasn't this migrated because of
some issues
I don't know yet?

Thank you
Justin




More information about the Snort-devel mailing list