[Snort-users] Snort 2.9.1.2 exits on file upload

Russ Combs rcombs at ...1935...
Thu Feb 2 10:30:48 EST 2012


On Thu, Feb 2, 2012 at 9:09 AM, Sudarshan Raghavan <
sudarshan.t.raghavan at ...11827...> wrote:

> I can see in the 2.8.5 sources that ipq_read error does not result in
> snort exiting. It calls ipq_perror and continues to read. Is this an
> ok behaviour to go back to. It is not ideal but having snort die is
> not the best solution either. Can I get rid of the break in
> PacketLoop?
>

What version of the DAQ tarball and IPQ DAQ (./snort --daq-list) are you
using?  That should have been fixed a while back.

Assuming you have the latest, if you are only running IPQ updating snort.c
is an option.  If you might run other DAQs, including pcap, suggest making
the change in the IPQ DAQ module itself (daq_ipq.c).

Also, it would be helpful if you could send the specific error so that can
be ignored.


> On Thu, Feb 2, 2012 at 7:18 PM, Sudarshan Raghavan
> <sudarshan.t.raghavan at ...11827...> wrote:
> > Do I have to increase some buffer size? Can the -1 error from ipq_read
> > be ignored? I am seeing this error every time I try to upload a 60MB
> > file over HTTP.
> >
> > Regards,
> > Sudarshan
> >
> > On Thu, Feb 2, 2012 at 7:05 PM, Sudarshan Raghavan
> > <sudarshan.t.raghavan at ...11827...> wrote:
> >> Snort Version: 2.9.1.2 IPv6 GRE
> >> libpcap: 0.8.3
> >> pcre: 7.0 18-Dec-2006
> >> zlib: 1.2.3
> >> Linux Kernel: 2.6.37.3 (32 bit)
> >>
> >> We are snort exit when trying a http file upload with this error
> >> "Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to
> >> receive netlink message". Has anyone seen this error message before?
> >>
> >> Regards,
> >> Sudarshan
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120202/6add7603/attachment.html>


More information about the Snort-users mailing list