[Oisf-devel] 77b708=WIN?

[Chris Wakelin]

On 27/09/11 15:33, Chris Wakelin wrote:
> I've just upgraded my campus network monitor to latest SVN
> (6bad2dbd7964a2e465ff4829022acf1e6c34062d) and PF_RING 5.1.0 (non-DNA).
> 
> I've applied two patches, my extended HTTP log one and Will's PF_RING
> "single" runmode (included in part of Bug 315) but with the same changes
> Anoop included in a844eecb0e115758eb87d515d37b9fcd877d2fec
> 
> I'm running with 6 threads and --runmode=single.
> 

I've found it's missing alerts in PF_RING but not pcap (suricata -r)
mode again :(

I've tried all three PF_RING runmodes, single, autofp and auto. The pcap
is a download of a "Possible Windows executable sent ASCII-hex-encoded"
file (ET rule 2012804). My pcaps of various Blackhole javascript
requests seem to work, though.

As far as I can see Eric's fix in Bug 315 should be equivalent to Will's
(https://redmine.openinfosecfoundation.org/issues/315) apart from a
change in the stats output.

(I'm actually using a script around

cat /proc/net/pf_ring/*-eth1.* |
gawk -F": " '/^Appl. Name/{appname=$2}
/^Tot Packets/&&appname=="Suricata"{pkts+=$2}
/^Tot Pkt Lost/&&appname=="Suricata"{lost+=$2}
END{print pkts "," lost}'

for stats; might get around to writing a proper program for this sometime!)

I've got "default-packet-size: 1522" but increasing it to 1530 makes no
difference.

Any ideas?

Best Wishes
Chris

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094