On Sat, Jun 1, 2013 at 10:24 AM, Luca Deri <[email protected]> wrote: > Hi Doug > > On Jun 1, 2013, at 6:59 AM, Doug Burks <[email protected]> wrote: > >> Hello all, >> >> I recently packaged PF_RING 5.5.3 for my Security Onion distro: >> http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html >> >> Perhaps I'm missing something, but I'm seeing some behavior I don't >> remember seeing in 5.5.2 or previous versions of PF_RING. >> >> Here are my testing parameters: >> - starting off with a good test, if I run just one instance of snort, >> I get an alert from rule 2100498 for EACH time I run "curl >> testmyids.com" >> - if I increase to two instances of snort with the same cluster-id, I >> get NO alerts when running "curl testmyids.com" >> - if I set the daq clustermode to 2, I get NO alerts when running >> "curl testmyids.com". (Does clustermode default to 2 if not >> specified?) > yes this is the default >> - if I set the daq clustermode to 4, I get an alert for EVERY OTHER >> "curl testmyids.com" (if I do 10 curl's, I only get 5 alerts). > > > I am not a snort expert but the default is per IP balancing so it must work, > otherwise we have a bug. I suggest you to capture traffic with an app such as > pfdump that is cluster aware and see what traffic the app received
Hi Luca, Thanks for the quick response! It looks like I'm seeing similar issues with Suricata and Bro, so I don't think it's limited to Snort. What's the recommended way to compile pfdump.c since there is no configure and no Makefile in that directory? Thanks, Doug _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
