[Snort-users] Snort 220.127.116.11 exits on file upload
sudarshan.t.raghavan at ...11827...
Thu Feb 2 12:13:04 EST 2012
I made the change to snort.c and it seems to be working ok.
--- snort.c (revision 148039)
+++ snort.c (working copy)
@@ -2820,7 +2820,8 @@
if ( !ScReadMode() || !PQ_Next() )
/* If not read-mode or no next pcap, we're done */
/* Check for any pending signals when no packets are read*/
Is this likely to affect nfq? I also checked the 2.9.2 source tree and
I don't PacketLoop continuing if DAQ_Acquire fails with an error. I
assume it must have been fixed in a different way.
On Thu, Feb 2, 2012 at 10:08 PM, Sudarshan Raghavan
<sudarshan.t.raghavan at ...11827...> wrote:
> Hi Russ,
> My answers are inline. Thanks for the help.
> On Thu, Feb 2, 2012 at 9:00 PM, Russ Combs <rcombs at ...1935...> wrote:
>> On Thu, Feb 2, 2012 at 9:09 AM, Sudarshan Raghavan
>> <sudarshan.t.raghavan at ...11827...> wrote:
>>> I can see in the 2.8.5 sources that ipq_read error does not result in
>>> snort exiting. It calls ipq_perror and continues to read. Is this an
>>> ok behaviour to go back to. It is not ideal but having snort die is
>>> not the best solution either. Can I get rid of the break in
>> What version of the DAQ tarball and IPQ DAQ (./snort --daq-list) are you
>> using? That should have been fixed a while back.
> I am using ipq and nfq
> Available DAQ modules:
> nfq(v6): live inline multi
> ipq(v5): live inline multi
>> Assuming you have the latest, if you are only running IPQ updating snort.c
>> is an option. If you might run other DAQs, including pcap, suggest making
>> the change in the IPQ DAQ module itself (daq_ipq.c).
> I am not using pcap. I am using snort 18.104.22.168. Can I copy snort.c from
> 2.9.2 sources? Unfortunately I cannot move to 2.9.2 at this point in
>> Also, it would be helpful if you could send the specific error so that can
>> be ignored.
> The error that I am seeing is ""Can't acquire (-1) - ipq_daq_acquire:
> ipq_read=-1 error Failed to receive netlink message". On another
> system that has more memory and a higher rmem and wmem, the same test
> works just fine. I am not sure if these two config settings make any
>>> On Thu, Feb 2, 2012 at 7:18 PM, Sudarshan Raghavan
>>> <sudarshan.t.raghavan at ...11827...> wrote:
>>> > Do I have to increase some buffer size? Can the -1 error from ipq_read
>>> > be ignored? I am seeing this error every time I try to upload a 60MB
>>> > file over HTTP.
>>> > Regards,
>>> > Sudarshan
>>> > On Thu, Feb 2, 2012 at 7:05 PM, Sudarshan Raghavan
>>> > <sudarshan.t.raghavan at ...11827...> wrote:
>>> >> Snort Version: 22.214.171.124 IPv6 GRE
>>> >> libpcap: 0.8.3
>>> >> pcre: 7.0 18-Dec-2006
>>> >> zlib: 1.2.3
>>> >> Linux Kernel: 126.96.36.199 (32 bit)
>>> >> We are snort exit when trying a http file upload with this error
>>> >> "Can't acquire (-1) - ipq_daq_acquire: ipq_read=-1 error Failed to
>>> >> receive netlink message". Has anyone seen this error message before?
>>> >> Regards,
>>> >> Sudarshan
>>> Keep Your Developer Skills Current with LearnDevNow!
>>> The most comprehensive online learning library for Microsoft developers
>>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>>> Metro Style Apps, more. Free future releases when you subscribe now!
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> Snort-users list archive:
>>> Please visit http://blog.snort.org to stay current on all the latest Snort
More information about the Snort-users