Hello all, I recently packaged PF_RING 5.5.3 for my Security Onion distro: http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html
Perhaps I'm missing something, but I'm seeing some behavior I don't remember seeing in 5.5.2 or previous versions of PF_RING. Here are my testing parameters: - starting off with a good test, if I run just one instance of snort, I get an alert from rule 2100498 for EACH time I run "curl testmyids.com" - if I increase to two instances of snort with the same cluster-id, I get NO alerts when running "curl testmyids.com" - if I set the daq clustermode to 2, I get NO alerts when running "curl testmyids.com". (Does clustermode default to 2 if not specified?) - if I set the daq clustermode to 4, I get an alert for EVERY OTHER "curl testmyids.com" (if I do 10 curl's, I only get 5 alerts). Here are the PF_RING entries in my snort.conf including the clustermode variable that I'm testing: config daq: pfring config daq_dir: /opt/pfring/lib/daq config daq_var: clusterid=51 #config daq_var: clustermode=4 Here are my snort command lines: snort -c /etc/nsm/HOSTNAME-eth1/snort.conf -u sguil -g sguil -i eth1 -F /etc/nsm/HOSTNAME-eth1/bpf-ids.conf -l /nsm/sensor_data/HOSTNAME-eth1/snort-1 --perfmon-file /nsm/sensor_data/HOSTNAME-eth1/snort-1.stats -U -m 112 snort -c /etc/nsm/HOSTNAME-eth1/snort.conf -u sguil -g sguil -i eth1 -F /etc/nsm/HOSTNAME-eth1/bpf-ids.conf -l /nsm/sensor_data/HOSTNAME-eth1/snort-2 --perfmon-file /nsm/sensor_data/HOSTNAME-eth1/snort-2.stats -U -m 112 Have I missed something? Has anybody else experienced this? What can I do to troubleshoot this? Thanks! -- Doug Burks http://securityonion.blogspot.com _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
