[Snort-devel] why libnet0 and libipq ?
justinjoseph007 at ...2499...
Tue Aug 11 09:06:47 EDT 2009
On Mon, Aug 10, 2009 at 11:18 PM, Russ Combs<rcombs at ...402...> wrote:
> Don't know why you are dropping but it probably isn't specifically due to
> libnet0. libnetfilter_queue sounds like something worth trying if you have
> the time. ;)
Were trying to migrate to nfilter_queue and in the process figured out
that the last stable release
of snort-inline ( http://snort-inline.sourceforge.net/download.html )
had support for libnetfilter_queue(also dnet)
So downloaded from snort-inline site and configured with
--enable-nfnetlink. My build won't run though,
with the below error:
NFNETLINK answers: Invalid argument
 error during nfq_unbind_pf()
This I think came up in kernel version 2.6.23 and then stayed(my
kernel is 2.6.24-19-server)??
Turning off error check with that function will not exit snort, but it
still won't work.
Why was the support for libnetfilter_queue in snort-inline not merged
And is snort_inline developed separately still? I see commits to
snort-inline at sourceforge.
does snort have an svn repo like snort-inline at sourceforce?
What relation does the two efforts(snort.org and
snort-inline.sourceforge.net) share at present?
> On Mon, Aug 10, 2009 at 4:23 AM, justin joseph <justinjoseph007 at ...3054....>
>> Snort inline support is using libnet0 and libipq in snort-2.8.4. Why
>> is it not using
>> libnet1(for injecting) and libnetfilter_queue( for queuing related
>> functions ).
>> On Ubuntu Hardy with 2.8.4 in inline mode I get "snort uses obsolete
>> in syslog, its working though.
>> For Linux kernel the files that use libnet are (grep-ed for libnet.h
>> Apart form the WIN32 files.
>> On snort mailing-list (URL:
>> http://marc.info/?l=snort-users&m=114436610629372&w=2 )
>> It mentions libnet1 for instructions for building Snort 2.6-beta or
>> 2.4.4. Is that a mistake
>> or did snort migrate to libnet1 for sometime?
>> Is there any particular reason for not migrating to libnet1?
>> Also am getting too many "nf_conntrack: table full, dropping packet." in
>> does this mean the kernel is dropping packets when snort is run in in-line
>> Could this be because of using deprecated library?
>> IMHO this issue is probably the reason why in Debian and Ubuntu snort
>> mode is not supported.
>> Are these right questions or am I just confused?
>> Would it be nice(better performance?? ) if someone migrated libipq and
>> to libnetfilter_queue and libnet1? Or hasn't this migrated because of
>> some issues
>> I don't know yet?
>> Thank you
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> trial. Simplify your report design, integration and deployment - and focus
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
More information about the Snort-devel