[Snort-users] Pfring crashes the kernel with white lists.
livio at ...15149...
Fri Jun 22 13:20:08 EDT 2012
With pfring 5.1, if you specified a bpf filter and -daq -pfring, the daq
open and Snort will not even start. We recently fixed it so that it
If you have bpf already specified and it runs, I am assuming you are
using a later
version where they fixed the bug (although probably still vulnerable to
listing issue below). So I think you are ok.
A more interesting thing for you (since you run 10G I think) is to run
the filter in hardware
rather than software. I am working on a script that translates a subset
of the bpf expressions
to hardware rules for the Intel 82599 Ethernet controller (supported by
pfring). With the
hardware rules, the filtered packets are never seen by the kernel so
there is less CPU
utilization and (conceivably) with the right filters, you could run up
to line rate
(28 Mpps full duplex).
Let me know if you are interested in beta testing the hardware filtering
(if you use the 82599).
On 6/22/2012 5:41 AM, Peter Bates wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hello all
> On 21/06/2012 00:58, livio Ricciulli wrote:
>> If you use --daq pfring with snort 2.9.2.x, it will cause pfring to
>> add a monotonically increasing number of WHITE_LIST pfring filters
>> in kernel memory causing memory exhaustion and eventually a crash
>> after a few hours/days/months depending on your traffic rate. We
>> have a pfring distribution that fixes this and other problems (like
>> supporting bpf filtering) at
> I'm running this combination and am keen to avoid this bug so will
> take a look.
> Can you explain 'supporting bpf filtering' a bit more?
> I have
> config bpf_file: /etc/snort/bpf
> (equivalent to -F)
> and according to PF_RING the BPF is being applied:
> BPF Filtering : Enabled
> Or is the difference in Snort applying the BPF filter after PF_RING
> and not before?
> - --
> Peter Bates
> Senior Computer Security Officer Phone: +44(0)2076792049
> Information Services Division Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> -----END PGP SIGNATURE-----
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users