[Snort-devel] [PATCHES] Fixes for daq_nfq

Russ Combs rcombs at ...402...
Tue Nov 2 16:08:36 EDT 2010


On Mon, Oct 25, 2010 at 5:52 PM, Russ Combs <rcombs at ...402...> wrote:

> Thanks for chipping in.  We've already got some changes queued up.  I'll
> take a look at your patch and get back to you.
>
> Russ
>
> On Mon, Oct 25, 2010 at 5:18 PM, Kelvie Wong <kwong at ...3121...> wrote:
>
>> Attached is a patch that fixes a couple of issues (I think they are
>> issues,
>> anyways...) we have found in the NFQ DAQ module in Snort 2.9.0.
>>
>> nfq_get_timestamp (for us) often returns -1, trying to tell us that it
>> does
>> not have a timestamp for this packet, and the first part of this patch
>> just
>> uses the current time when writing the packet header.  Many parts of snort
>> seem to depend on having a valid timestamp in the packet header, so this
>> would
>> definitely break it.
>>
>
Too bad NFQ is so buggy.  Any idea when this fails and when not?  Is it
certain traffic?

If this happens always or never, for a given run of Snort, the patch is
reasonable.  If it is every other packet, we may be better off just adding
the smallest delta possible to the timestamp to keep them sequenced.


>> The second part of the patch removes the return statement from the packet
>> handling loop inside the NFQ DAQ -- under certain conditions,
>> nfq_handle_packet will break and return early (before calling the
>> callback);
>> this causes snort to either freeze or exit, both undesirable outcomes,
>> especially when Snort is being used in inline mode.
>>
>
The freeze scenario should be eliminated with daq 0.3.  Can you verify that?

The early exit is a little different.  Does this indicate a permanent
error?  Can you elaborate on the conditions?

The errors were presumbed permanent and Snort exits to avoid consuming
excessive resources.

>
>> If any of these changes are terribly shortsighted or just plain wrong,
>> please
>> let me know.  I haven't delved that deep into the Snort code yet.
>>
>> --
>> Kelvie Wong
>> Software Developer
>>
>> Wurldtech Security Technologies Inc.
>> Suite 1680 - 401 West Georgia St.
>> Vancouver, B.C.  V6B 5A1
>> Canada
>>
>> Phone:       + 1.604.669.6674
>> Toll Free:   + 1.877.369.6674
>> Fax:           + 1.604.669.2902
>> Website:    http://www.wurldtech.com/
>>
>> "ARE YOU ACHILLES CERTIFIED?"
>>
>> This message is intended only for the named recipients. This message
>> may contain information that is privileged, confidential or exempt
>> from disclosure under applicable law. Any dissemination or copying
>> of this message by anyone other than a named recipient is strictly
>> prohibited. If you are not a named recipient or an employee or agent
>> responsible for delivering this message to a named recipient, please
>> notify us immediately by telephone at 604-669-6674, and permanently
>> destroy this message and any copies you may have. Email may not be
>> secure unless properly encrypted.
>>
>>
>> ------------------------------------------------------------------------------
>> Nokia and AT&T present the 2010 Calling All Innovators-North America
>> contest
>> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
>> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
>> marketing
>> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
>> http://p.sf.net/sfu/nokia-dev2dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20101102/20d9d441/attachment.html>


More information about the Snort-devel mailing list