[Snort-devel] Pfring crashes the kernel with white lists.

livio Ricciulli livio at ...3255...
Wed Jun 20 19:58:12 EDT 2012


It looks like the ssl dynamic processor of the latest snort 
distributions causes the DAQ verdict to be WHITE_LIST for certain ssl 
connections.
This is perfectly ok if you are NOT using --daq pfring.
If you use --daq pfring with snort 2.9.2.x, it will cause pfring to add 
a monotonically increasing number of WHITE_LIST pfring filters in
kernel memory causing memory exhaustion and eventually a crash after a 
few hours/days/months depending on your traffic rate. We have
a pfring distribution that fixes this and other problems (like 
supporting bpf filtering) at http://www.metaflows.com/pfring/PF_RING.tgz

The WHITE_LIST fix is very simple; basically, if the verdict from the 
snort processing is WHITE_LIST, you set it to PASS instead in daq_pfring.c.

We will send this fixes to the Ntop folks as well..

Livio.


On 06/20/2012 10:12 AM, Tran M. Thang wrote:
> Hi,
>
> Any one can help me to write snort rules for detecting "TCP Portscan and PortSweep" scan? I knew that snort has modules to detect types of scan. But i want to have custom rules that can use plugin snortsam to block types of scan.
>
> Thanks
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-devel mailing list