[Snort-devel] why libnet0 and libipq ?

Russ Combs rcombs at ...402...
Mon Aug 10 13:48:53 EDT 2009


Justin,

I don't think Snort ever used libnet1 for those modules.  Furthermore, like
many other applications, Snort will be moving from libnet to dnet in an
upcoming release.

Don't know why you are dropping but it probably isn't specifically due to
libnet0.  libnetfilter_queue sounds like something worth trying if you have
the time.  ;)

Russ

On Mon, Aug 10, 2009 at 4:23 AM, justin joseph <justinjoseph007 at ...2499...>wrote:

> Hi
>
> Snort inline support is using libnet0 and libipq in snort-2.8.4.  Why
> is it not using
> libnet1(for injecting) and libnetfilter_queue( for queuing related
> functions ).
> On Ubuntu Hardy with 2.8.4 in inline mode I get "snort uses obsolete
> (PF_INET,SOCK_PACKET)"
> in syslog, its working though.
>
> For Linux kernel the files that use libnet are (grep-ed for libnet.h
> inclusion):
>
> ./detection-plugins/sp_react.c
> ./detection-plugins/sp_respond.c
> ./inline.c
>
> Apart form the WIN32 files.
>
> On snort mailing-list (URL:
> http://marc.info/?l=snort-users&m=114436610629372&w=2 )
> It mentions libnet1 for instructions for building Snort 2.6-beta or
> 2.4.4.  Is that a mistake
> or did snort migrate to libnet1 for sometime?
>
> Is there any particular reason for not migrating to libnet1?
>
> Also am getting too many "nf_conntrack: table full, dropping packet." in
> syslog
> does this mean the kernel is dropping packets when snort is run in in-line
> mode.
> Could this be because of using deprecated library?
>
> IMHO this issue is probably the reason why in Debian and Ubuntu snort
> in-line
> mode is not supported.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433775
> https://bugs.launchpad.net/ubuntu/+source/snort/+bug/466
>
> Are these right questions or am I just confused?
>
> Would it be nice(better performance?? ) if someone migrated libipq and
> libnet0
> to libnetfilter_queue and libnet1?  Or hasn't this migrated because of
> some issues
> I don't know yet?
>
> Thank you
> Justin
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20090810/83ee9ae6/attachment.html>


More information about the Snort-devel mailing list