[Snort-users] Snort 2.9, RHEL 5 and afpacket DAQ [~Solved?]

Michael Altizer xiche at ...3147...
Fri Oct 22 11:09:34 EDT 2010


  On 10/21/2010 03:52 PM, Rich Graves wrote:
> On Wed, Oct 20, 2010 at 5:06 PM, Michael Altizer 
> <maltizer at ...1935... <mailto:maltizer at ...1935...>> wrote:
>
>
>     I've attached an updated version of my previous patch which
>     incorporates item 1.
>
>
> On my box, this fixes snort -c. Thanks.
>
> However, snort -Tc still fails if (snort -c + snort -Tc) buffers are > 
> 49MB.
>
> Using snort --daq pcap -Tc to test config/rule changes is an 
> acceptable workaround for me, and probably better in most cases 
> (unless you specifically want to test buffer memory allocation). But 
> it either needs to be fixed or release-noted.
>
> # snort -T -c /etc/snort/snort.conf
> ...
> afpacket DAQ configured to passive.
> Floating point exception
> # echo $?
> 136
>
>
Thanks.  This is in part due to the AFPacket DAQ module not being 
defensive enough, but the real root cause is Snort passing it an empty 
interface string in test mode when no interface is specified on the 
command line (this differs from normal mode where it uses pcap to find a 
default device).  You can work around this by specifying an interface 
(-i) when running in test mode.  There should be no difference between 
49mb and > 49mb now.

snort --daq-dir /usr/local/lib64/daq --daq afpacket -T -c 
/root/snort.conf -i eth0

^ works fine on my CentOS 5.5 system.

-Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101022/0e2b68f1/attachment.html>


More information about the Snort-users mailing list