Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Quick questions about recieved packets

from [sekure] Network Security [Permanent Link]
Subject: Re: [Snort-users] Quick questions about recieved packets
Date: Wed, 26 Oct 2005 19:10:46 -0400 
You can always just "ldd /path/to/snort" to see which pcap library is used,
and you might get lucky.

I believe by default when you build libpcap it doesn't build shared
libraries, so you might have to read some documentation to get it to do
that. I could be wrong, but I believe it builds static libraries and i had
to recompile snort and have those libraries statically linked. You can also
build dynamic libraries and in that case you don't have to recompile
snort.... your call...

Anyways, once you get snort to use the new library, you have to define
PCAP_FRAMES variable before you launch snort. Try PCAP_FRAMES=max to start
with and go from there. Google it, or go to the page where you got the
library, there is some documentation on the subject.

Good luck.

On 10/26/05, Joseph Nicholson <wjnicholson@gmail.com> wrote:


Well I got my head out of my butt and realized what my major issue was. I
was running Snort from the command line for testing purposes before I set
it up to run at boot as a Daemon. I was using the following command line:
 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -v
 I kinda forgot that verbose mode will cause a ton of dropped packets like
I was getting. I am now after a 10 min run without the -v getting 10% loss
instead of 90%. That is something I could live with or at least close the
gap on easier.
 I installed the new pcap library as suggested above. I am using Fedora
Core 3 (yeah I know, don't say it :-P) and I downloaded the lib, un-tarred
it, did the configure, make, make install dance around the fire pit. I
rebooted the server. Will that pcap lib actually be used or is there
something I have to change somewhere to tell FC3 not to use the pcap lib
that it came with and to use my new one?

 On 10/26/05, Joseph Nicholson <wjnicholson@gmail.com> wrote:


I went ahead and disabled all of the rulesets to see if that made any
differece. Unfortunately it made no difference at all. My next question will
be if I use the pcap library suggested above, when I install it will
Snort know to use it automatically or will I have to change something so
Snort will know?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] BO preproc exploit published, byte_jump
Next by Date:  Re: [Snort-users] Quick questions about recieved packets, Bill Parker
Previous by Thread:  Re: [Snort-users] Quick questions about recieved packets, Joseph Nicholson
Next by Thread:  Re: [Snort-users] Quick questions about recieved packets, Richard Bejtlich
Indexes:  [Date] [Thread] [Top] [All Lists]