[Snort-users] Why does snort on Linux report this?

Dragos Ruiu dr at ...381...
Sun Nov 12 18:55:57 EST 2000


On Sun, 12 Nov 2000, Jason Haar wrote:
> When I run snort in non-daemon mode and shut it down with Ctrl-C, it reports 
> 
> 
> Snort received 43 packets.
> Packet loss statistics are unavailable under Linux.  Sorry!
> 
> 
> What's missing in Linux that stops that working? Sounds to me like a bit of
> a hole. I mean, doesn't that mean that anyone using snort under Linux won't
> ever know if their system is dropping packets and therefore potentially
> missing attacks/etc?
> 

Uhm... yep. Libpcap always has been the lamest piece of this whole equation,
imho...

Someone who is using snort/linux ought to really dev a patch to get snort
working with the turbo-packet capture kernel patch under linux imho...

Sorry I don't have the bandwidth to currently tackle this, but if you want
to try your hand at this and want the patch contact me. Or does someone
have a handy URL off the top of their head? I just have it in an e-mail
message.

There have are also some other packet cpature systems being toyed with in the 
newer linux kernels as I recall but I haven't looked closely in a while after
I started running my IDSes on OpenBSD and FreeBSD that do not suffer 
from this.

cheers,
--dr

-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net



More information about the Snort-users mailing list