Hi Doug On Jun 1, 2013, at 6:59 AM, Doug Burks <[email protected]> wrote:
> Hello all, > > I recently packaged PF_RING 5.5.3 for my Security Onion distro: > http://securityonion.blogspot.com/2013/05/pfring-553-packages-now-available.html > > Perhaps I'm missing something, but I'm seeing some behavior I don't > remember seeing in 5.5.2 or previous versions of PF_RING. > > Here are my testing parameters: > - starting off with a good test, if I run just one instance of snort, > I get an alert from rule 2100498 for EACH time I run "curl > testmyids.com" > - if I increase to two instances of snort with the same cluster-id, I > get NO alerts when running "curl testmyids.com" > - if I set the daq clustermode to 2, I get NO alerts when running > "curl testmyids.com". (Does clustermode default to 2 if not > specified?) yes this is the default > - if I set the daq clustermode to 4, I get an alert for EVERY OTHER > "curl testmyids.com" (if I do 10 curl's, I only get 5 alerts). I am not a snort expert but the default is per IP balancing so it must work, otherwise we have a bug. I suggest you to capture traffic with an app such as pfdump that is cluster aware and see what traffic the app received Regards Luca > > Here are the PF_RING entries in my snort.conf including the > clustermode variable that I'm testing: > config daq: pfring > config daq_dir: /opt/pfring/lib/daq > config daq_var: clusterid=51 > #config daq_var: clustermode=4 > > Here are my snort command lines: > > snort -c /etc/nsm/HOSTNAME-eth1/snort.conf -u sguil -g sguil -i eth1 > -F /etc/nsm/HOSTNAME-eth1/bpf-ids.conf -l > /nsm/sensor_data/HOSTNAME-eth1/snort-1 --perfmon-file > /nsm/sensor_data/HOSTNAME-eth1/snort-1.stats -U -m 112 > > snort -c /etc/nsm/HOSTNAME-eth1/snort.conf -u sguil -g sguil -i eth1 > -F /etc/nsm/HOSTNAME-eth1/bpf-ids.conf -l > /nsm/sensor_data/HOSTNAME-eth1/snort-2 --perfmon-file > /nsm/sensor_data/HOSTNAME-eth1/snort-2.stats -U -m 112 > > Have I missed something? Has anybody else experienced this? What can > I do to troubleshoot this? > > Thanks! > > -- > Doug Burks > http://securityonion.blogspot.com > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
