Re: [Snort-users] Quick questions about recieved packets
This is a discussion on Re: [Snort-users] Quick questions about recieved packets within the Snort forums, part of the System Security and Security Related category; ------=_Part_4796_19905932.1130368246646 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline You can ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-27-2005
|
|||
|
|||
Re: [Snort-users] Quick questions about recieved packets
------=_Part_4796_19905932.1130368246646
Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline You can always just "ldd /path/to/snort" to see which pcap library is used, and you might get lucky. I believe by default when you build libpcap it doesn't build shared libraries, so you might have to read some documentation to get it to do that. I could be wrong, but I believe it builds static libraries and i had to recompile snort and have those libraries statically linked. You can also build dynamic libraries and in that case you don't have to recompile snort.... your call... Anyways, once you get snort to use the new library, you have to define PCAP_FRAMES variable before you launch snort. Try PCAP_FRAMES=3Dmax to star= t with and go from there. Google it, or go to the page where you got the library, there is some documentation on the subject. Good luck. On 10/26/05, Joseph Nicholson <wjnicholson@gmail.com> wrote: > > Well I got my head out of my butt and realized what my major issue was. I > was running Snort from the command line for testing purposes before I set > it up to run at boot as a Daemon. I was using the following command line: > /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -v > I kinda forgot that verbose mode will cause a ton of dropped packets lik= e > I was getting. I am now after a 10 min run without the -v getting 10% los= s > instead of 90%. That is something I could live with or at least close the > gap on easier. > I installed the new pcap library as suggested above. I am using Fedora > Core 3 (yeah I know, don't say it :-P) and I downloaded the lib, un-tarre= d > it, did the configure, make, make install dance around the fire pit. I > rebooted the server. Will that pcap lib actually be used or is there > something I have to change somewhere to tell FC3 not to use the pcap lib > that it came with and to use my new one? > > On 10/26/05, Joseph Nicholson <wjnicholson@gmail.com> wrote: > > > > I went ahead and disabled all of the rulesets to see if that made any > > differece. Unfortunately it made no difference at all. My next question= will > > be if I use the pcap library suggested above, when I install it will > > Snort know to use it automatically or will I have to change something s= o > > Snort will know? > > ------=_Part_4796_19905932.1130368246646 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline You can always just "ldd /path/to/snort" to see which pcap librar= y is used, and you might get lucky.<br> <br> I believe by default when you build libpcap it doesn't build shared libraries, so you might have to read some documentation to get it to do that. I could be wrong, but I believe it builds static libraries and i had to recompile snort and have those libraries statically linked. You can also build dynamic libraries and in that case you don't have to recompile snort.... your call...<br> <br> Anyways, once you get snort to use the new library, you have to define PCAP_FRAMES variable before you launch snort. Try PCAP_FRAMES=3Dmax to start with and go from there. Google it, or go to the page where you got the library, there is some documentation on the subject.<br> <br> Good luck.<br><br><div><span class=3D"gmail_quote">On 10/26/05, <b class=3D= "gmail_sendername">Joseph Nicholson</b> <<a href=3D"mailto:wjnicholson@g= mail.com">wjnicholson@gmail.com</a>> wrote:</span><blockquote class=3D"g= mail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt= 0pt 0pt 0.8ex; padding-left: 1ex;"> <div>Well I got my head out of my butt and realized what my major issue was= .. I was running <span id=3D"st" name=3D"st" class=3D"st0">Snort</span= > from the command line for testing purposes before I set it up to run at boot as a Daemon. I was using the following command line: </div> <div> </div> <div>/usr/local/bin/<span id=3D"st" name=3D"st" class=3D"st0">snort</span> = -c /etc/<span id=3D"st" name=3D"st" class=3D"st0">snort</span>/<span id=3D"= st" name=3D"st" class=3D"st0">snort</span>.conf -i eth1 -g <span id=3D"st" = name=3D"st" class=3D"st0"> snort</span> -v</div> <div> </div> <div>I kinda forgot that verbose mode will cause a ton of dropped packets like I was getting. I am now after a 10 min run without the -v getting 10% loss instead of 90%. That is something I could live with or at least close the gap on easier. </div> <div> </div> <div>I installed the new pcap library as suggested above. I am using Fedora Core 3 (yeah I know, don't say it :-P) and I downloaded the lib, un-tarred it, did the configure, make, make install dance around the fire pit. I rebooted the server. Will that pcap lib actually be used or is there something I have to change somewhere to tell FC3 not to use the pcap lib that it came with and to use my new one? <br><br> </div> <div><span class=3D"q"><span class=3D"gmail_quote">On 10/26/05, <b class=3D= "gmail_sendername">Joseph Nicholson</b> <<a href=3D"mailto:wjnicholson@g= mail.com" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,eve= nt,this)"> wjnicholson@gmail.com<img class=3D"targetalert" style=3D"border: 0px none = ! important; margin: 0px 0px -3px 5px ! important; padding: 0px ! important= ; display: inline ! important; background-color: transparent ! important; w= idth: auto ! important; height: auto ! important; float: none ! important; = z-index: 10 ! important;" src=3D"chrome://targetalert/content/skin/new.png"= > <img class=3D"targetalert" style=3D"border: 0px none ! important; margin: = 0px 0px -3px 5px ! important; padding: 0px ! important; display: inline ! i= mportant; background-color: transparent ! important; width: auto ! importan= t; height: auto ! important; float: none ! important; z-index: 10 ! importa= nt;" src=3D"chrome://targetalert/content/skin/outlook.png"> </a>> wrote:</span> </span><span class=3D"q"><blockquote class=3D"gmail_quote" style=3D"border-= left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left= : 1ex;">I went ahead and disabled all of the rulesets to see if that made any differece. Unfortunately it made no difference at all. My next question will be if I use the pcap library suggested above, when I install it will <span id=3D"st" name=3D"st" class=3D"st0">Snort</span> know= to use it automatically or will I have to change something so <span id=3D"= st" name=3D"st" class=3D"st0">Snort</span> will know? </blockquote></span></div> </blockquote></div><br> ------=_Part_4796_19905932.1130368246646-- ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 05:35 AM.
