[Snort-users] 回复: 回复: 回复: 回复: 回复: snort preprocessor reputation Shared memory loadentries always 0

阔野嘹歌 85358830 at ...15456...
Fri May 12 09:47:17 EDT 2017


Thx hui.
It output:


Reputation config: 
    Reputation total memory usage: 0 bytes
    Reputation total entries loaded: 0, invalid: 0, re-defined: 0
    Memcap: 500 (Default) M bytes 
    Scan local network: ENABLED
    Reputation priority:  whitelist(Default) 
    Nested IP: both  
    White action: unblack (Default) 
    Shared memory supported, Update directory: /usr/reputation/iplists
    Shared memory refresh period: 60 (Default) seconds 
    Shared memory max instances: 4


Example dynamic preprocessor configuration
    Port: 61324


+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
1 Snort rules read
    0 detection rules
    0 decoder rules
    1 preprocessor rules
1 Option Chains linked into 1 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       1       0       0       0
|      nc       1       0       0       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------


+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------


+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------


+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!


[ Port Based Pattern Matching Memory ]
[ Number of patterns truncated to 20 bytes: 0 ]
nfq DAQ configured to inline.
Reload thread starting...
Reload thread started, thread 0xa4478b40 (4770)
    Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 224
Mapped shared management region of size 224 as a reader.
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1310720



I only start that two snort instance(master and client).Sometimes snort_control process not be quit.
client snort instance still no output.I test it just now.


------------------ 原始邮件 ------------------
发件人: "Hui Cao (huica)";<huica at ...589...>;
发送时间: 2017年5月12日(星期五) 晚上9:08
收件人: "阔野嘹歌"<85358830 at ...15456...>; "Snort-users"<snort-users at lists.sourceforge.net>; 

主题: Re: 回复: 回复: 回复: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0



  
Can you provide all the output when you start the reader snort? Do you have other snort process running other than those two?
 
 
 
Best,
 
Hui.
 
 
  
From:  阔野嘹歌 <85358830 at ...15456...>
 Date: Friday, May 12, 2017 at 2:16 AM
 To: "Hui Cao (huica)" <huica at ...589...>, Snort-users <snort-users at lists.sourceforge.net>
 Subject: 回复: 回复: 回复: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0
 
  
 
 
  
Thx hui.
 
  
 
 
  
When I use "snort_control" to control snort reputation preprocessor reload share memory white/black list,It looks not work well.
 
   
I use following line:
 
  
 ./snort_control /usr/reputation/ 1361
 
  
 
 
  
When only one snort master process(It start use command:   ./snort --cs-dir /usr/reputation/ -A console -G 0 -Q --process-all-events -c ../etc/snort.conf),It looks work well.
 
  
 
 
  
When I use follwing command:
 
  
 ./snort_control /usr/reputation/ 1361
 
  
 
 
  
I saw snort master output:
 
  
...........
 
  
...
 
   
Commencing packet processing (pid=3344)
 
  
Decoding Raw IP4
 
  
    Reputation Preprocessor: Instance 0 switched to segment_version 1
 
  
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1277952
 
  
    Processing blacklist file /usr/reputation/iplists/black_list.blf
 
  
    Reputation entries loaded: 6, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
 
  
    Processing whitelist file /usr/reputation/iplists/white_list.wlf
 
  
    Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
 
  
Reputation Preprocessor shared memory summary:
 
  
    Reputation total memory usage: 330636 bytes
 
  
    Reputation total entries loaded: 6, invalid: 0, re-defined: 0
 
  
    Reputation Preprocessor: Received segment 0
 
  
    Reputation Preprocessor: SFIPReputation.rt.0.0.1 is freed
 
  
    Reputation Preprocessor: Instance 0 switched to segment_version 0
 
 
  
 
 
  
It worked!I'm very happy.
 
  
 
 
  
 
 
  
But when I start snort client process(It start use command:     ./snort -A console -G 1 -Q --process-all-events -c ../etc/snort.conf.smg.5.9),There's something wrong with the program.
 
  
snort_control output:
 
   
root at ...274...:~/code/snort/tools/control# ./snort_control /usr/reputation/ 1361
 
  
Response 0009 with code 0 and length 45
 
  
52 65 70 75 74 61 74 69  6F 6E 20 50 72 65 70 72   Reputati on Prepr
 
  
6F 63 65 73 73 6F 72 3A  20 4E 6F 20 73 65 67 6D   ocessor:  No segm
 
  
65 6E 74 73 20 72 65 63  65 69 76 65 64            ents rec eived
 
  
Response 0000 without data
 
 
  
 
 
  
I add IP(1.1.18.6/32) to my blacklist file(/usr/reputation/iplists/black_list.blf),then use command following:
 
  
root at ...274...:~/code/snort/tools/control# ./snort_control /usr/reputation/ 1361
 
  
 
 
  
Hope both snort(master and client) can load my new black list.But I saw the output below:
 
  
 
 
   
root at ...274...:~/code/snort/tools/control# ./snort_control /usr/reputation/ 1361
 
  
Response 0009 with code 0 and length 45
 
  
52 65 70 75 74 61 74 69  6F 6E 20 50 72 65 70 72   Reputati on Prepr
 
  
6F 63 65 73 73 6F 72 3A  20 4E 6F 20 73 65 67 6D   ocessor:  No segm
 
  
65 6E 74 73 20 72 65 63  65 69 76 65 64            ents rec eived
 
  
Response 0000 without data
 
 
  
 
 
  
Two snort(master and client) was no response.Why???
 
  
What is "No segments received" mean? I kown what mean is "Segmentation fault".
 
  
What should I do to make the two snort(master and client) get load share memory black list?
 
  
 
 
  
thank you very much indeed.
 
  
 
 
  
                               minggang su.
 
  
 
 
  
------------------ 原始邮件 ------------------
 
   
发件人: "Hui Cao (huica)";<huica at ...589...>;
 
  
发送时间: 2017年5月11日(星期四) 晚上10:10
 
  
收件人: "阔野嘹歌"<85358830 at ...15456...>;  "Snort-users"<snort-users at lists.sourceforge.net>; 
 
  
主题: Re: 回复: 回复: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0
 
 
  
 
 
 
The error message indicates the previous reload has not finished yet. You should see all the instances have switched to new shared memory.  You can issue reload command again after that.
 
Best,
 
Hui.
 
 
  
On 05/10/2017 10:44 PM,  阔野嘹歌 wrote:
 
   
Thx hui.
 
  
Thank you for taking the time to answer my questions.
 
  
Now My snort reputation looks work well.
 
  
 
 
  
I add IP(192.168.59.228) to file /usr/reputation/iplists/black_list.blf,Then start snort_control use follwing command:
 
  
./snort_control /usr/reputation/ 1361
 
  
 
 
  
snort_control output :
 
   
Response 0009 with code 0 and length 45
 
  
52 65 70 75 74 61 74 69  6F 6E 20 50 72 65 70 72   Reputati on Prepr
 
  
6F 63 65 73 73 6F 72 3A  20 4E 6F 20 73 65 67 6D   ocessor:  No segm
 
  
65 6E 74 73 20 72 65 63  65 69 76 65 64            ents rec eived
 
  
Response 0000 without data
 
 
  
 
 
   
But snort master does not respond, and snort not be blaked the IP 192.168.59.128.
 
  
I noticed snort output(Previous output not now):
 
  
.........
 
  
.....
 
   
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1179648
 
  
    Processing blacklist file /usr/reputation/iplists/black_list.blf
 
  
    Reputation entries loaded: 3, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
 
  
    Processing whitelist file /usr/reputation/iplists/white_list.wlf
 
  
    Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
 
  
Reputation Preprocessor shared memory summary:
 
  
    Reputation total memory usage: 329820 bytes
 
  
    Reputation total entries loaded: 3, invalid: 0, re-defined: 0
 
  
    Reputation Preprocessor: Received segment 0
 
  
    Reputation Preprocessor: Instance 0 switched to segment_version 0
 
 
  
 
 
  
But my blacklist file now has 4 IPs. (192.168.59.228 is new IP)It looks blacklist not reload.
 
  
 
 
  
My question is :
 
  
1.What should I do for geting load black list?
 
  
2.what is "1361" mean? How should I know what it means? I search snort source,but I can't undstand it.following line is output:
 
  
 
 
   
root at ...274...:~/code/snort# find.sh 1361
 
  
 ################## FIND BEGIN ################## 
 
  
./src/dynamic-plugins/sf_engine/sfprimetable.c:210: 1361, /* 1361 */
 
  
./src/dynamic-plugins/sf_engine/sfprimetable.c:1558: 31357, /* 31361 */
 
  
./src/dynamic-plugins/sf_engine/sfprimetable.c:2228:  136189, /* 136192 */
 
  
./src/target-based/sf_attribute_table_parser.c:1693:     1359,    0, 1360,    0, 1361,    0, 1362,    0, 1363,    0,
 
  
./src/target-based/sf_attribute_table_parser.c:3452:    11358,11358,11359,11359,11360,11360,11361,11361,11362,11362,
 
  
./src/target-based/sf_attribute_table_parser.c:4283:     1353, 1355, 1357, 1359, 1361, 1363, 1365, 1367, 1369, 1371,
 
  
./src/target-based/sf_attribute_table_parser.c:5275:     1351, 1353, 1355, 1357, 1359, 1361, 1363, 1365, 1367, 1369,
 
  
./src/target-based/sf_attribute_table_parser.c:5976:    11358,11359,11360,11361,11362,11363,11364,11365,11366,11367,
 
  
./src/dynamic-preprocessors/include/sfprimetable.c:210: 1361, /* 1361 */
 
  
./src/dynamic-preprocessors/include/sfprimetable.c:1558: 31357, /* 31361 */
 
  
./src/dynamic-preprocessors/include/sfprimetable.c:2228:  136189, /* 136192 */
 
  
./src/sfutil/sfprimetable.c:210: 1361, /* 1361 */
 
  
./src/sfutil/sfprimetable.c:1558: 31357, /* 31361 */
 
  
./src/sfutil/sfprimetable.c:2228:  136189, /* 136192 */
 
  
 ##################  FIND END  ################## 
 
 
  
 
 
  
 
 
  
Thanks.
 
  
minggang su
 
  
 
 
  
------------------ 原始邮件 ------------------
 
   
发件人: "Hui Cao (huica)";<huica at ...589...>;
 
  
发送时间: 2017年5月10日(星期三) 晚上9:12
 
  
收件人: "阔野嘹歌"<85358830 at ...15456...>;  "Snort-users"<snort-users at lists.sourceforge.net>; 
 
  
主题: Re: 回复: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0
 
 
  
 
 
  
My question is :
 
1.     What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?
 
 
 
Yes. You can set it to a higher number since it is configurable. Configure option is “shared_max_instances”. I think the default is 50.
 
 
 
2.     How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort output. 
 
 
 
You have the output like this, it is a reader:
 
 
 
   Mapped shared management region of size 128 as a reader.
 
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
 
 
 
 
 
 
 
 
 
 
 
 
  
From: 阔野嘹歌 <85358830 at ...15456...>
 Date: Wednesday, May 10, 2017 at 12:54 AM
 To: "Hui Cao (huica)" <huica at ...589...>, Snort-users <snort-users at lists.sourceforge.net>
 Subject: 回复: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0
 
  
 
 
  
Thx hui.
 
  
 
 
   
I use the command as you give me:
 
  
./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
 
  
 
 
  
 The following is the output of the Master snort:
 
  
 
 
  
.......
 
  
...
 
   
Reputation config: 
 
  
    Reputation total memory usage: 0 bytes
 
  
    Reputation total entries loaded: 0, invalid: 0, re-defined: 0
 
  
    Memcap: 500 (Default) M bytes 
 
  
    Scan local network: ENABLED
 
  
    Reputation priority:  whitelist(Default) 
 
  
    Nested IP: both  
 
  
    White action: unblack (Default) 
 
  
    Shared memory supported, Update directory: /usr/reputation/iplists
 
  
    Shared memory refresh period: 60 (Default) seconds 
 
  
    Shared memory max instances: 2
 
 
  
..........
 
  
......
 
  
 
 
   
Reload thread starting...
 
  
Reload thread started, thread 0xa44f1b40 (26006)
 
  
    Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
 
  
Mapped shared management region of size 128 as a writer.
 
  
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
 
  
    Processing blacklist file /usr/reputation/iplists/black_list.blf
 
  
    Reputation entries loaded: 2, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/black_list.blf)
 
  
    Processing whitelist file /usr/reputation/iplists/white_list.wlf
 
  
    Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/reputation/iplists/white_list.wlf)
 
  
Reputation Preprocessor shared memory summary:
 
  
    Reputation total memory usage: 329712 bytes
 
  
    Reputation total entries loaded: 2, invalid: 0, re-defined: 0
 
 
  
........
 
  
.....
 
  
 
 
  
 
 
  
Master snort looks work well.Next step ,I start a new snort instance as client .It looks not load share memory black list info,following line is my command:
 
  
./snort -G 1 -Q --process-all-events -c ../etc/snort.conf.smg.5.9
 
  
 
 
  
It output:
 
  
 
 
  
.......
 
  
.....
 
   
Reputation config: 
 
  
    Reputation total memory usage: 0 bytes
 
  
    Reputation total entries loaded: 0, invalid: 0, re-defined: 0
 
  
    Memcap: 500 (Default) M bytes 
 
  
    Scan local network: ENABLED
 
  
    Reputation priority:  whitelist(Default) 
 
  
    Nested IP: both  
 
  
    White action: unblack (Default) 
 
  
    Shared memory supported, Update directory: /usr/reputation/iplists
 
  
    Shared memory refresh period: 60 (Default) seconds 
 
  
    Shared memory max instances: 2
 
 
  
 
 
  
........
 
  
......
 
   
Reload thread starting...
 
  
Reload thread started, thread 0xa44a1b40 (26334)
 
  
    Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
 
  
Mapped shared management region of size 128 as a reader.
 
  
    Reputation Preprocessor: Size of shared memory segment SFIPReputation.rt.0.0.0 is 1146880
 
 
  
..........
 
  
....
 
  
 
 
  
My question is :
 
  
1.What does 'Shared memory max instances: 2' mean? It mean I can only start to two instances?
 
  
2.How do I know that my snort client uses a shared blacklist?I can't get any infomation from client snort output. 
 
  
 
 
  
------------------ 原始邮件 ------------------
 
   
 发件人: "Hui Cao (huica)";<huica at ...589...>;
 
  
 发送时间: 2017年5月9日(星期二) 晚上11:53
 
  
 收件人: "阔野嘹歌"<85358830 at ...15456...>;  "Snort-users"<snort-users at lists.sourceforge.net>; 
 
  
 主题: Re: [Snort-users] 回复: snort preprocessor reputation Shared memory loadentries always 0
 
 
  
 
 
 
You should use command :
 
 ./snort -G 0 -Q --process-all-events -c ../etc/snort.conf
 
 Only instance 0 will be a shared memory writer.
 
 Best,
 Hui.
 On 5/9/17, 11:46 AM, "阔野嘹歌"  <85358830 at ...15456...> wrote:
 
     sorry,Message attachments are not supported.
     Here is my snort.conf:
     
     
     # Reputation preprocessor. For more information see README.reputation
     preprocessor reputation: \
        memcap 500, \
        scan_local, \
     #   priority whitelist, \
        white unblack, \
        nested_ip both, \
     #   whitelist /usr/reputation/iplists/white_list.wlf, \
     #   blacklist /usr/reputation/iplists/black_list.blf, \
        shared_mem /usr/reputation/iplists, \
        shared_refresh 60
     
     
     
     
     
     
     
     
     
     Here is my black_list.blf:
     192.168.59.158/32
     192.168.59.128/32
     
     
     
     
     ------------------ 原始邮件 ------------------
     发件人: "85358830";<85358830 at ...15456...>;
     发送时间: 2017年5月9日(星期二) 晚上11:28
     收件人: "Snort-users"<snort-users at lists.sourceforge.net>; 
     
     主题: [Snort-users] snort preprocessor reputation Shared memory loadentries always 0
     
     
     
     Good day to all! I'm using Snort 2.9.8.3 on a Debian 8.2 virtual machine.To test reputation share memory and control-socket.I'm follow Snort manual 2.2.20 shared memory support.step by step.but it looks not work well.
     
     
     My config file and whait/black list file in mail attachemnts.
     The following line is my start snort command:
     ./snort -G 1 -Q --process-all-events -c ../etc/snort.conf
     
     
     The following is the output of the snort:
     .......
     ...
     Reputation config: 
         Reputation total memory usage: 0 bytes
         Reputation total entries loaded: 0, invalid: 0, re-defined: 0
         Memcap: 500 (Default) M bytes 
         Scan local network: ENABLED
         Reputation priority:  whitelist(Default) 
         Nested IP: both  
         White action: unblack (Default) 
         Shared memory supported, Update directory: /usr/reputation/iplists
         Shared memory refresh period: 60 (Default) seconds 
         Shared memory max instances: 2
     
     +++++++++++++++++++++++++++++++++++++++++++++++++++
     Initializing rule chains...
     1 Snort rules read
         0 detection rules
         0 decoder rules
         1 preprocessor rules
     1 Option Chains linked into 1 Chain Headers
     0 Dynamic rules
     +++++++++++++++++++++++++++++++++++++++++++++++++++
     
     ..........
     .....
     
     
     nfq DAQ configured to inline.
     Reload thread starting...
     Reload thread started, thread 0xa443db40 (25579)
         Reputation Preprocessor: Size of shared memory segment SFShmemMgmt.0.0 is 128
     Mapped shared management region of size 128 as a reader.
     
     ........
     .....
     
     
     It appears that the blacklist is not load into shared memory.why?
     who can tell me why?
     
     
     I am searching for a long time on net. But no use. Please help or try to give some ideas how to achieve this.
     
     I'm sorry my English is not good.sorry I am a novice.
     sorry.
     
      
     
     Can someone give me some help?
     
     Can the Chinese give me some help?in Chinese.
     
     I am a lonely self learner, if you can give me a little help , Thank you very much.
     Best regards to all!------------------------------------------------------------------------------
     Check out the vibrant tech community on one of the world's most
     engaging tech sites, Slashdot.org! http://sdm.link/slashdot
     _______________________________________________
     Snort-users mailing list
     Snort-users at lists.sourceforge.net
     Go to this URL to change user options or unsubscribe:
     https://lists.sourceforge.net/lists/listinfo/snort-users
     Snort-users list archive:
      http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
     
     Please visit http://blog.snort.org to stay current on all the latest Snort news!
     ------------------------------------------------------------------------------
     Check out the vibrant tech community on one of the world's most
     engaging tech sites, Slashdot.org! http://sdm.link/slashdot
     _______________________________________________
     Snort-users mailing list
     Snort-users at lists.sourceforge.net
     Go to this URL to change user options or unsubscribe:
     https://lists.sourceforge.net/lists/listinfo/snort-users
     Snort-users list archive:
      http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
     
     Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list