[Snort-devel] why libnet0 and libipq ?
justinjoseph007 at ...2499...
Thu Aug 13 09:50:53 EDT 2009
On Wed, Aug 12, 2009 at 6:44 PM, Will Metcalf<william.metcalf at ...2499...> wrote:
>> Why was all this working code taken out and is not there in
>> snort-2.8.4(or other releases snort after merging)?
>> This is preventing distros from including inline feature(as mentioned
>> before). Doesn't make sense to me :-(
> We have support for 220.127.116.11 in snort-inline testing if you want/need
> it. Dave Ramien from Nitro Security was kind enough to perform the
> update. With that said, we kept snort-inline going after the merge to
> allow us to sort of do our own thing.
> svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/testing
Thank you for explaining. Also I read the below yesterday:
Were thinking that snort.org is upstream for snort-inline after the merge.
>> Note: ipq and 2.8.4 drops packets for me, but snort_inline-18.104.22.168
>> works fine(both ipq and nfnetlink)
> Just out of curiosity did you set ip_queue_maxlen when using ip_queue?
> echo 65535 > /proc/sys/net/ipv4/ip_queue_maxlen
No, it was 1024, default. For whatever reason, I no more get syslog
packet drops or obsolete messages. I think it is always better to use
max queue length.
But right now, even with 1024 as queue length I don't see any drops
when flood pinging.
More information about the Snort-devel