[Snort-devel] why libnet0 and libipq ?

Will Metcalf william.metcalf at ...2499...
Tue Aug 11 14:35:05 EDT 2009


Can you show me what modifications you made to the code?  Also the
output from lsmod..

Regards,

Will

On Tue, Aug 11, 2009 at 8:06 AM, justin joseph<justinjoseph007 at ...2499...> wrote:
> Hello Russ
>
> On Mon, Aug 10, 2009 at 11:18 PM, Russ Combs<rcombs at ...402...> wrote:
>> Don't know why you are dropping but it probably isn't specifically due to
>> libnet0.  libnetfilter_queue sounds like something worth trying if you have
>> the time.  ;)
>
> Were trying to migrate to nfilter_queue and in the process figured out
> that the last stable release
> of snort-inline ( http://snort-inline.sourceforge.net/download.html )
> had support for libnetfilter_queue(also dnet)
> So downloaded from snort-inline site and configured with
> --enable-nfnetlink.  My build won't run though,
> with the below error:
>
> NFNETLINK answers: Invalid argument
> [26348] error during nfq_unbind_pf()
>
> This I think came up in kernel version 2.6.23 and then stayed(my
> kernel is 2.6.24-19-server)??
> Turning off error check with that function will not exit snort, but it
> still won't work.
>
> Why was the support for libnetfilter_queue in snort-inline not merged
> with snort?
>
> And is snort_inline developed separately still?  I see commits to
> snort-inline at sourceforge.
>
> does snort have an svn repo like snort-inline at sourceforce?
>
> What relation does the two efforts(snort.org and
> snort-inline.sourceforge.net) share at present?
>
> thank you
> Justin
>
>>
>> Russ
>>
>> On Mon, Aug 10, 2009 at 4:23 AM, justin joseph <justinjoseph007 at ...3035.....>
>> wrote:
>>>
>>> Hi
>>>
>>> Snort inline support is using libnet0 and libipq in snort-2.8.4.  Why
>>> is it not using
>>> libnet1(for injecting) and libnetfilter_queue( for queuing related
>>> functions ).
>>> On Ubuntu Hardy with 2.8.4 in inline mode I get "snort uses obsolete
>>> (PF_INET,SOCK_PACKET)"
>>> in syslog, its working though.
>>>
>>> For Linux kernel the files that use libnet are (grep-ed for libnet.h
>>> inclusion):
>>>
>>> ./detection-plugins/sp_react.c
>>> ./detection-plugins/sp_respond.c
>>> ./inline.c
>>>
>>> Apart form the WIN32 files.
>>>
>>> On snort mailing-list (URL:
>>> http://marc.info/?l=snort-users&m=114436610629372&w=2 )
>>> It mentions libnet1 for instructions for building Snort 2.6-beta or
>>> 2.4.4.  Is that a mistake
>>> or did snort migrate to libnet1 for sometime?
>>>
>>> Is there any particular reason for not migrating to libnet1?
>>>
>>> Also am getting too many "nf_conntrack: table full, dropping packet." in
>>> syslog
>>> does this mean the kernel is dropping packets when snort is run in in-line
>>> mode.
>>> Could this be because of using deprecated library?
>>>
>>> IMHO this issue is probably the reason why in Debian and Ubuntu snort
>>> in-line
>>> mode is not supported.
>>>
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=433775
>>> https://bugs.launchpad.net/ubuntu/+source/snort/+bug/466
>>>
>>> Are these right questions or am I just confused?
>>>
>>> Would it be nice(better performance?? ) if someone migrated libipq and
>>> libnet0
>>> to libnetfilter_queue and libnet1?  Or hasn't this migrated because of
>>> some issues
>>> I don't know yet?
>>>
>>> Thank you
>>> Justin
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list