The same questions get posted again and again to the Snort forums, at the moment this is the most frequently misunderstood, and asked question that catches my eye.
Help !!!!!!!!
Snort doesn’t work !
It dies with a “Not Using PCAP_FRAMES” error message”.
Quick, quick help me now!
I’m ranting about this here so hopefully when people google the “Not using PCAP_FRAMES” message before blindly posting to the forums or mail lists for help (I know, I can dream), maybe this post will appear in their search results solving their non-issue.
What is an error message?
Lets look a real error messages first, unlike the above.
--== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /this/rules/file/does/not/exist ERROR: Unable to open rules file: /this/rules/file/does/not/exist or /this/rules/file/does/not//this/rules/file/does/not/exist Fatal Error, Quitting..
The error condition above is clearly identified, other messages not prefixed with “ERROR” are supporting messages to help a user understand what the system is doing. This rule holds true with most software and not Snort alone.
What is a PCAP_FRAME?
PCAP_FRAMES is an environment variable that is used to pass a configuration setting to a custom pcap library, specifically the code by Phil Woods (Nice job by the way Phil). If you have not built snort against Phil’s libpcap that supports pcap ring buffers in shared memory, PCAP_FRAMES means absolutely NOTHING to you, zip, nout, fsck all, nada.
If you are unsure if you have built Snort against Phil’s libpcap or a stock distribution, then trust me you’re using a stock libpcap.
For those who are interested, PCAP_FRAMES defines a size (in frames) of a pcap ring-buffer in shared memory.
Are you sure? It looks like Snort stops with this as an error.
Yes I’m sure, and I find your lack of faith disturbing. Lets look at the code in snort.c to check.
1163 if( getenv(“PCAP_FRAMES”) )
1164 {
1165 LogMessage(“Using PCAP_FRAMES = %s\n”, getenv(“PCAP_FRAMES”) );
1166 }
1167 else
1168 {
1169 LogMessage(“Not Using PCAP_FRAMES\n” );
1170 }
If the environment variable PCAP_FRAMES is set, it shows the value to user during Snort initialization. If the environment variable is not set, it tell the user that PCAP_FRAMES are not being used.
For example, ill start up snort as a sniffer on my Mac with a stock libpcap.
[09:12:32]lward@drax~$ sudo snort -vdei en0 > /dev/null Password: Running in packet dump mode -snip verbose startup output-
,,_ -*> Snort! <*- o" )~ Version 2.8.0.2 (Build 75) '''' By Martin Roesch & The Snort Team: (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 7.6 2008-01-28 Not Using PCAP_FRAMES ^C*** Caught Int-Signal ============================================================== Packet Wire Totals: -SNIP-
Here Snort has started up and was sniffing without error (until I hit CRTL+C), now lets set PCAP_FRAMES to some garbage because it will have no effect on Snorts behavior or my stock libpcap.
bash-3.2# export PCAP_FRAMES="Foo Bar This setting has no impact on my libpcap instance" bash-3.2# snort -dvei en0 > /dev/null
Running in packet dump mode
--== Initializing Snort ==-- Initializing Output Plugins! Verifying Preprocessor Configurations! Initializing Network Interface en0 OpenPcap() device en0 network lookup: en0: no IPv4 address assigned Decoding Ethernet on interface en0 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.0.2 (Build 75) '''' By Martin Roesch & The Snort Team: (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 7.6 2008-01-28 Using PCAP_FRAMES = Foo Bar This setting has no impact on my libpcap instance ^C*** Caught Int-Signal ===================================
So in summary, this verbose message has no meaning to most users of Snort. If you are running Snort as an IDS but not in daemon mode, don’t expect to see anything on STDOUT until you stop the processes (hit CRTL+C to send a SIGINT).
As always, happy Snortin’
-Leon
===============================================
上面的文章,限于本人英文水平有限,只是读懂了一点所以转载一下,关于在篇文章说明的问题,会在另外一篇文章中说明。