[Snort-users] Snort 184.108.40.206 exits on file upload
sudarshan.t.raghavan at ...11827...
Thu Feb 2 11:38:55 EST 2012
My answers are inline. Thanks for the help.
On Thu, Feb 2, 2012 at 9:00 PM, Russ Combs <rcombs at ...1935...> wrote:
> On Thu, Feb 2, 2012 at 9:09 AM, Sudarshan Raghavan
> <sudarshan.t.raghavan at ...11827...> wrote:
>> I can see in the 2.8.5 sources that ipq_read error does not result in
>> snort exiting. It calls ipq_perror and continues to read. Is this an
>> ok behaviour to go back to. It is not ideal but having snort die is
>> not the best solution either. Can I get rid of the break in
> What version of the DAQ tarball and IPQ DAQ (./snort --daq-list) are you
> using? That should have been fixed a while back.
I am using ipq and nfq
Available DAQ modules:
nfq(v6): live inline multi
ipq(v5): live inline multi
> Assuming you have the latest, if you are only running IPQ updating snort.c
> is an option. If you might run other DAQs, including pcap, suggest making
> the change in the IPQ DAQ module itself (daq_ipq.c).
I am not using pcap. I am using snort 220.127.116.11. Can I copy snort.c from
2.9.2 sources? Unfortunately I cannot move to 2.9.2 at this point in
> Also, it would be helpful if you could send the specific error so that can
> be ignored.
The error that I am seeing is ""Can't acquire (-1) - ipq_daq_acquire:
ipq_read=-1 error Failed to receive netlink message". On another
system that has more memory and a higher rmem and wmem, the same test
works just fine. I am not sure if these two config settings make any
>> On Thu, Feb 2, 2012 at 7:18 PM, Sudarshan Raghavan
>> <sudarshan.t.raghavan at ...11827...> wrote:
>> > Do I have to increase some buffer size? Can the -1 error from ipq_read
>> > be ignored? I am seeing this error every time I try to upload a 60MB
>> > file over HTTP.
>> > Regards,
>> > Sudarshan
>> > On Thu, Feb 2, 2012 at 7:05 PM, Sudarshan Raghavan
>> > <sudarshan.t.raghavan at ...11827...> wrote:
>> >> Snort Version: 18.104.22.168 IPv6 GRE
>> >> libpcap: 0.8.3
>> >> pcre: 7.0 18-Dec-2006
>> >> zlib: 1.2.3
>> >> Linux Kernel: 22.214.171.124 (32 bit)
>> >> We are snort exit when trying a http file upload with this error
>> >> "Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to
>> >> receive netlink message". Has anyone seen this error message before?
>> >> Regards,
>> >> Sudarshan
>> Keep Your Developer Skills Current with LearnDevNow!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
>> Please visit http://blog.snort.org to stay current on all the latest Snort
More information about the Snort-users