[Snort-devel] why libnet0 and libipq ?

justin joseph justinjoseph007 at ...2499...
Thu Aug 13 09:50:53 EDT 2009

On Wed, Aug 12, 2009 at 6:44 PM, Will Metcalf<william.metcalf at ...2499...> wrote:
>> Why was all this working code taken out and is not there in
>> snort-2.8.4(or other releases snort after merging)?
>> This is preventing distros from including inline feature(as mentioned
>> before).  Doesn't make sense to me :-(
> We have support for in snort-inline testing if you want/need
> it. Dave Ramien from Nitro Security was kind enough to perform the
> update. With that said, we kept snort-inline going after the merge to
> allow us to sort of do our own thing.
> svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/testing

Thank you for explaining.  Also I read the below yesterday:


Were thinking that snort.org is upstream for snort-inline after the merge.

>> Note:  ipq and 2.8.4 drops packets for me, but snort_inline-
>> works fine(both ipq and nfnetlink)
> Just out of curiosity did you set ip_queue_maxlen when using ip_queue?
> echo 65535 > /proc/sys/net/ipv4/ip_queue_maxlen

No, it was 1024, default.  For whatever reason, I no more get syslog
messages about
packet drops or obsolete messages.  I think it is always better to use
max queue length.
But right now, even with 1024  as queue length I  don't see any drops
when flood pinging.

Thank you

> Regards,
> Will

More information about the Snort-devel mailing list