Chinaunix首页 | 论坛 | 博客
  • 博客访问: 193728
  • 博文数量: 53
  • 博客积分: 2059
  • 博客等级: 大尉
  • 技术积分: 577
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-30 03:03





2010-08-28 12:35:44

The same questions get posted again and again to the Snort forums, at the moment this is the most frequently misunderstood, and asked question that catches my eye.

Help !!!!!!!!
Snort doesn’t work !
It dies with a “Not Using PCAP_FRAMES” error message”.
Quick, quick help me now!

I’m ranting about this here so hopefully when people google the “Not using PCAP_FRAMES” message before blindly posting to the forums or mail lists for help (I know, I can dream), maybe this post will appear in their search results solving their non-issue.

What is an error message?

Lets look a real error messages first, unlike the above.

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /this/rules/file/does/not/exist
ERROR: Unable to open rules file: /this/rules/file/does/not/exist or /this/rules/file/does/not//this/rules/file/does/not/exist
Fatal Error, Quitting..

The error condition above is clearly identified, other messages not prefixed with “ERROR” are supporting messages to help a user understand what the system is doing. This rule holds true with most software and not Snort alone.

What is a PCAP_FRAME?

PCAP_FRAMES is an environment variable that is used to pass a configuration setting to a custom pcap library, specifically the code by Phil Woods (Nice job by the way Phil). If you have not built snort against Phil’s libpcap that supports pcap ring buffers in shared memory, PCAP_FRAMES means absolutely NOTHING to you, zip, nout, fsck all, nada.

If you are unsure if you have built Snort against Phil’s libpcap or a stock distribution, then trust me you’re using a stock libpcap.

For those who are interested, PCAP_FRAMES defines a size (in frames) of a pcap ring-buffer in shared memory.

Are you sure? It looks like Snort stops with this as an error.

Yes I’m sure, and I find your lack of faith disturbing. Lets look at the code in snort.c to check.

1163     if( getenv(“PCAP_FRAMES”) )
1164     {
1165         LogMessage(“Using PCAP_FRAMES = %s\n”, getenv(“PCAP_FRAMES”) );
1166     }
1167     else
1168     {
1169         LogMessage(“Not Using PCAP_FRAMES\n” );
1170     }

If the environment variable PCAP_FRAMES is set, it shows the value to user during Snort initialization. If the environment variable is not set, it tell the user that PCAP_FRAMES are not being used.

For example, ill start up snort as a sniffer on my Mac with a stock libpcap.

[09:12:32]lward@drax~$ sudo snort -vdei en0 > /dev/null
Running in packet dump mode
-snip verbose startup output-
,,_     -*> Snort! <*-
o"  )~   Version (Build 75)
''''    By Martin Roesch & The Snort Team:

(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 7.6 2008-01-28
^C*** Caught Int-Signal
Packet Wire Totals:


Here Snort has started up and was sniffing without error (until I hit CRTL+C), now lets set PCAP_FRAMES to some garbage because it will have no effect on Snorts behavior or my stock libpcap.

bash-3.2# export PCAP_FRAMES="Foo Bar This setting has no impact on my libpcap instance"
bash-3.2# snort -dvei en0 > /dev/null
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
Initializing Network Interface en0
OpenPcap() device en0 network lookup:
en0: no IPv4 address assigned
Decoding Ethernet on interface en0
--== Initialization Complete ==--
 ,,_     -*> Snort! <*-
o"  )~   Version (Build 75)
 ''''    By Martin Roesch & The Snort Team: 
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 7.6 2008-01-28
Using PCAP_FRAMES = Foo Bar This setting has no impact on my libpcap instance
 ^C*** Caught Int-Signal

So in summary, this verbose message has no meaning to most users of Snort. If you are running Snort as an IDS but not in daemon mode, don’t expect to see anything on STDOUT until you stop the processes (hit CRTL+C to send a SIGINT).

As always, happy Snortin’



阅读(1685) | 评论(0) | 转发(0) |


下一篇:Not Using PCAP_FRAMES