[Snort-users] Snort 2.9.0.3 & Phil Wood's modified libpcap

Jason Wallace jason.r.wallace at ...11827...
Tue Feb 8 12:52:44 EST 2011


What options in the kernel would you be referring to?

On Tue, Feb 8, 2011 at 12:03 PM, Michael Scheidell
<michael.scheidell at ...8144...> wrote:
> minor fixed.. just grep for and patch it yourself.
>
> bet patch fails due to spaces/vs tabs
>
> only critical line is this one: (note, yep, you want the VALUE, not the key
> :-)
> and make sure that any kernel conf stuff allows you to pull a bpf buffer
> that big.
> 10mb seems to do a great job.
>
>        context->buffer_size = strtol(entry->key, NULL, 10);
>
> change to:
>        context->buffer_size = strtol(entry->value, NULL, 10);
>
>
> On 2/8/11 12:00 PM, Weir, Jason wrote:
>
> hmm my patching foo needs work any ideas?
>
> /usr/src/daq-0.5/os-daq-modules# patch -p1 <patch.daq_pcap.c
> patching file daq_pcap.c2011-02-01
> Hunk #1 FAILED at 39.
> Hunk #2 FAILED at 216.
> 2 out of 2 hunks FAILED -- saving rejects to file daq_pcap.c2011-02-01.rej
>
> -J
>
> -----Original Message-----
> From: Michael Scheidell [mailto:michael.scheidell at ...8144...]
> Sent: Tuesday, February 08, 2011 10:59 AM
> To: Weir, Jason
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort 2.9.0.3 & Phil Wood's modified libpcap
>
> On 2/8/11 10:54 AM, Weir, Jason wrote:
>
> Ok - I'll bite, where do I get the latest daq version, looks like snort.org
> only has 0.5...
>
> -J
>
> small patch, published on this list: 2/1/11, 2:06 ET, subject 'freebsd/snort
> 2.9.0.3 daq: how do I verity if is using ram.
>
> author xiche at ...3147...:
>
> --- os-daq-modules/daq_pcap.c.orig	2011-01-30 15:28:19.000000000 -0500
> +++ os-daq-modules/daq_pcap.c	2011-02-01 14:03:08.000000000 -0500
> @@ -39,7 +39,7 @@
>
>  #include "daq_api.h"
>
> -#define DAQ_PCAP_VERSION 3
> +#define DAQ_PCAP_VERSION 4
>
>  typedef struct _pcap_context
>  {
> @@ -216,7 +216,7 @@ static int pcap_daq_initialize(const DAQ
>      for (entry = config->values; entry; entry = entry->next)
>      {
>          if (!strcmp(entry->key, "buffer_size"))
> -            context->buffer_size = strtol(entry->key, NULL, 10);
> +            context->buffer_size = strtol(entry->value, NULL, 10);
>      }
>      /* Try to account for legacy PCAP_FRAMES environment variable if we
> weren't passed a buffer size. */
>      if (context->buffer_size == 0)
>
> --
> Michael Scheidell, CTO
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and
> updates.
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
>> | SECNAP Network Security Corporation
>
> Certified SNORT Integrator
> 2008-9 Hot Company Award Winner, World Executive Alliance
> Five-Star Partner Program 2009, VARBusiness
> Best in Email Security,2010: Network Products Guide
> King of Spam Filters, SC Magazine 2008
>
> ________________________________
>
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see http://www.secnap.com/products/spammertrap/
>
> ________________________________
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list