[Snort-users] Pfring crashes the kernel with white lists.

Peter Bates peter.bates at ...15381...
Fri Jun 22 08:41:08 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 21/06/2012 00:58, livio Ricciulli wrote:
> If you use --daq pfring with snort 2.9.2.x, it will cause pfring to
> add a monotonically increasing number of WHITE_LIST pfring filters
> in kernel memory causing memory exhaustion and eventually a crash
> after a few hours/days/months depending on your traffic rate. We
> have a pfring distribution that fixes this and other problems (like
>  supporting bpf filtering) at
> http://www.metaflows.com/pfring/PF_RING.tgz

I'm running this combination and am keen to avoid this bug so will
take a look.

Can you explain 'supporting bpf filtering' a bit more?

I have

config bpf_file: /etc/snort/bpf

(equivalent to -F)

and according to PF_RING the BPF is being applied:

BPF Filtering      : Enabled

Or is the difference in Snort applying the BPF filter after PF_RING
and not before?

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP5GfkAAoJELhVoVpEMS6RJpkIAI+sV9h/iLwehWfTve5tpbbF
8LibR+YRcc8rAO+ic2ul9t560YgyfALgl/czjQXrkXdzhsL/f5S6RSvtoCxK5vH+
DLw2SZRPcaJ4GRfgE/AFTQIEUkM+cDYWTmHzkpGWokzlpOPFeDeNwzFopUxc+16o
FOkx4N88MRzI+8NNYeby9ev35E9GwpskY8bzKzdGNPOB4+5zX1uCW15IJguMWpho
s6fP6HbFnGhNgJN4buzxzn0vT776Uf+RglzatBTLhdf8rBCz5i96Ne1wsj6WfpoD
dA7XHs4hOwZa+7hA85ODfyz3/oelPLxp5ezDe3jWcRH/Q9VeFVYZttALHYtCwjQ=
=4pYV
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list