Hi Luca, Thanks for your quick reply!
Yes, the code in SVN seems to fix the issue for me. Here's some further detail: Our current stable packages work fine: - Snort 2.9.4.6 - PF_RING 5.5.3 + patch for negative index causing fragments to be dropped. Should be roughly equivalent to PF_RING 5.6.0 release. For background info, reference this thread: http://listgateway.unipi.it/mailman/private/ntop-misc/2013-June/003782.html Using this version of PF_RING 5.5.3/5.6.0, if I upgrade to Snort 2.9.5.3, snort goes to 100% CPU usage and drops all packets: Snort processed 0 packets. Snort ran for 0 days 0 hours 1 minutes 31 seconds Pkts/min: 0 Pkts/sec: 0 =============================================================================== Packet I/O Totals: Received: 0 Analyzed: 0 ( 0.000%) Dropped: 11246 (100.000%) Seems similar to what's described in this thread: http://listgateway.unipi.it/mailman/private/ntop-misc/2013-July/003855.html Looking at the date of Alfredo's conclusion to that thread, looks like the Snort issue may have been fixed in r6616 - trunk/PF_RING/userland/snort/pfring-daq-module? http://listgateway.unipi.it/mailman/private/ntop-dev/2013-July/011004.html If I then upgrade to PF_RING 5.6.1 SVN, snort seems to work fine (CPU usage is normal, packets are analyzed and alerts flowing). Is the current SVN considered stable enough that I can deploy it to my users? Thanks, Doug On Wed, Aug 28, 2013 at 5:18 PM, Luca Deri <[email protected]> wrote: > Doug, > we're making big changes to DNA/libzero so the next release will be a major > release. Hence for us it's ok to release 5.6.1 before such release. > > Did you check that the code in SVN has really fixed the issue? > > Regards Luca > > > On Aug 28, 2013, at 4:18 PM, Doug Burks <[email protected]> wrote: > >> Hello all, >> >> I'm getting ready to build and deploy packages for Snort 2.9.5.3, but >> it appears there is a bug when using Snort 2.9.5 and higher with the >> current PF_RING 5.6.0 release. Looking at ntop-dev and ntop-misc, it >> appears this bug was fixed on 7/20 in the 5.6.1 development version. >> >> When do you expect to release 5.6.1? >> >> Thanks! >> >> -- >> Doug Burks >> http://securityonion.blogspot.com >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc -- Doug Burks http://securityonion.blogspot.com _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
