[Snort-devel] why libnet0 and libipq ?

justin joseph justinjoseph007 at ...2499...
Tue Aug 11 09:06:47 EDT 2009


Hello Russ

On Mon, Aug 10, 2009 at 11:18 PM, Russ Combs<rcombs at ...402...> wrote:
> Don't know why you are dropping but it probably isn't specifically due to
> libnet0.  libnetfilter_queue sounds like something worth trying if you have
> the time.  ;)

Were trying to migrate to nfilter_queue and in the process figured out
that the last stable release
of snort-inline ( http://snort-inline.sourceforge.net/download.html )
had support for libnetfilter_queue(also dnet)
So downloaded from snort-inline site and configured with
--enable-nfnetlink.  My build won't run though,
with the below error:

NFNETLINK answers: Invalid argument
[26348] error during nfq_unbind_pf()

This I think came up in kernel version 2.6.23 and then stayed(my
kernel is 2.6.24-19-server)??
Turning off error check with that function will not exit snort, but it
still won't work.

Why was the support for libnetfilter_queue in snort-inline not merged
with snort?

And is snort_inline developed separately still?  I see commits to
snort-inline at sourceforge.

does snort have an svn repo like snort-inline at sourceforce?

What relation does the two efforts(snort.org and
snort-inline.sourceforge.net) share at present?

thank you
Justin

>
> Russ
>
> On Mon, Aug 10, 2009 at 4:23 AM, justin joseph <justinjoseph007 at ...3054....>
> wrote:
>>
>> Hi
>>
>> Snort inline support is using libnet0 and libipq in snort-2.8.4.  Why
>> is it not using
>> libnet1(for injecting) and libnetfilter_queue( for queuing related
>> functions ).
>> On Ubuntu Hardy with 2.8.4 in inline mode I get "snort uses obsolete
>> (PF_INET,SOCK_PACKET)"
>> in syslog, its working though.
>>
>> For Linux kernel the files that use libnet are (grep-ed for libnet.h
>> inclusion):
>>
>> ./detection-plugins/sp_react.c
>> ./detection-plugins/sp_respond.c
>> ./inline.c
>>
>> Apart form the WIN32 files.
>>
>> On snort mailing-list (URL:
>> http://marc.info/?l=snort-users&m=114436610629372&w=2 )
>> It mentions libnet1 for instructions for building Snort 2.6-beta or
>> 2.4.4.  Is that a mistake
>> or did snort migrate to libnet1 for sometime?
>>
>> Is there any particular reason for not migrating to libnet1?
>>
>> Also am getting too many "nf_conntrack: table full, dropping packet." in
>> syslog
>> does this mean the kernel is dropping packets when snort is run in in-line
>> mode.
>> Could this be because of using deprecated library?
>>
>> IMHO this issue is probably the reason why in Debian and Ubuntu snort
>> in-line
>> mode is not supported.
>>
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433775
>> https://bugs.launchpad.net/ubuntu/+source/snort/+bug/466
>>
>> Are these right questions or am I just confused?
>>
>> Would it be nice(better performance?? ) if someone migrated libipq and
>> libnet0
>> to libnetfilter_queue and libnet1?  Or hasn't this migrated because of
>> some issues
>> I don't know yet?
>>
>> Thank you
>> Justin
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>




More information about the Snort-devel mailing list