[Oisf-devel] 77b708=WIN?
Chris Wakelin
c.d.wakelin at reading.ac.uk
Tue Sep 27 17:33:31 UTC 2011
On 27/09/11 15:33, Chris Wakelin wrote:
> I've just upgraded my campus network monitor to latest SVN
> (6bad2dbd7964a2e465ff4829022acf1e6c34062d) and PF_RING 5.1.0 (non-DNA).
>
> I've applied two patches, my extended HTTP log one and Will's PF_RING
> "single" runmode (included in part of Bug 315) but with the same changes
> Anoop included in a844eecb0e115758eb87d515d37b9fcd877d2fec
>
> I'm running with 6 threads and --runmode=single.
>
I've found it's missing alerts in PF_RING but not pcap (suricata -r)
mode again :(
I've tried all three PF_RING runmodes, single, autofp and auto. The pcap
is a download of a "Possible Windows executable sent ASCII-hex-encoded"
file (ET rule 2012804). My pcaps of various Blackhole javascript
requests seem to work, though.
As far as I can see Eric's fix in Bug 315 should be equivalent to Will's
(https://redmine.openinfosecfoundation.org/issues/315) apart from a
change in the stats output.
(I'm actually using a script around
cat /proc/net/pf_ring/*-eth1.* |
gawk -F": " '/^Appl. Name/{appname=$2}
/^Tot Packets/&&appname=="Suricata"{pkts+=$2}
/^Tot Pkt Lost/&&appname=="Suricata"{lost+=$2}
END{print pkts "," lost}'
for stats; might get around to writing a proper program for this sometime!)
I've got "default-packet-size: 1522" but increasing it to 1530 makes no
difference.
Any ideas?
Best Wishes
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list