[Snort-devel] why libnet0 and libipq ?

justin joseph justinjoseph007 at ...2499...
Thu Aug 13 09:50:53 EDT 2009


On Wed, Aug 12, 2009 at 6:44 PM, Will Metcalf<william.metcalf at ...2499...> wrote:
>> Why was all this working code taken out and is not there in
>> snort-2.8.4(or other releases snort after merging)?
>> This is preventing distros from including inline feature(as mentioned
>> before).  Doesn't make sense to me :-(
>
> We have support for 2.8.4.1 in snort-inline testing if you want/need
> it. Dave Ramien from Nitro Security was kind enough to perform the
> update. With that said, we kept snort-inline going after the merge to
> allow us to sort of do our own thing.
>
> svn co https://snort-inline.svn.sourceforge.net/svnroot/snort-inline/testing

Thank you for explaining.  Also I read the below yesterday:

http://www.inliniac.net/blog/2007/01/17/setting-up-subversion-for-snort_inline.html

Were thinking that snort.org is upstream for snort-inline after the merge.

>
>> Note:  ipq and 2.8.4 drops packets for me, but snort_inline-2.6.1.5
>> works fine(both ipq and nfnetlink)
>
> Just out of curiosity did you set ip_queue_maxlen when using ip_queue?
>
> echo 65535 > /proc/sys/net/ipv4/ip_queue_maxlen

No, it was 1024, default.  For whatever reason, I no more get syslog
messages about
packet drops or obsolete messages.  I think it is always better to use
max queue length.
But right now, even with 1024  as queue length I  don't see any drops
when flood pinging.

Thank you
Justin


>
> Regards,
>
> Will
>




More information about the Snort-devel mailing list