[Snort-users] Snort+ : loging in afpacket mode

Shravan Rangarajuvenkata (shrarang) shrarang at cisco.com
Mon Sep 24 13:27:16 EDT 2018


Snort creates one DAQ instance per-thread and each DAQ instance creates one packet socket. When fanout mode is used, each packet is sent to only one socket in the fanout group. When you set fanout_type to hash, all packets belonging to one flow are sent to one socket. Socket is selected based on the hash created for the flow. And the hash is a function of the network addresses of the flow. Please refer to “man packet” for more information regarding fanout options.

I am assuming when you were using fanout options, both the scp flows went to the same snort thread and therefore, you see only one alert file. When you were not using fanout options, each packet was being sent to all the snort threads and each thread was creating alerts. And thus, you had 4 alerts files with duplicate alerts.

To confirm the above, can you please provide us more information?

  1.  Were you seeing the same alerts in all 4 log files when you were not using fanout options?
  2.  Did you miss any alerts when you used the fanout options? You should not see any duplicate alerts when using fanout but all the unique alerts should still be generated.

Thanks,
Shravan

-------- Forwarded Message --------
Subject:

[Snort-users] Snort+ : loging in afpacket mode

Date:

Thu, 20 Sep 2018 20:46:03 +0300

From:

Meridoff via Snort-users <snort-users at lists.snort.org><mailto:snort-users at lists.snort.org>

Reply-To:

Meridoff <oagvozd at gmail.com><mailto:oagvozd at gmail.com>

To:

snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>


Hello
I run 4 packet threads if afpacket tap mode in alert_fast mode.
I can see 4 log files (0..4_alert_fast.txt) which are the same - cause 4 daq threads run.

Now I set fanout_type to hash (and fanout_flag to rollover or defrag ) and I see that logging go to in only 1 file (e.g. 1_alert_fast.txt).

I test all this by one rule "tcp any any" and 2 scp process to generate traffic (2 Big file transfer in parallel)

How it (difference in number of log files that are writen) can be explained ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180924/f80f6383/attachment.html>


More information about the Snort-users mailing list