From frank at snortsam.net Sun May 3 09:01:18 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sun, 03 May 2009 08:01:18 -0500 Subject: [Snortsam-discussion] Snortsam with preprocessor In-Reply-To: <1241036625.4005.84.camel@tgs-laptop> References: <1241036625.4005.84.camel@tgs-laptop> Message-ID: <1241355678.57816.5.camel@localhost> On Wed, 2009-04-29 at 17:23 -0300, Tiago Giovanaz da Silva wrote: > Can I use the snortsam to block alerts from preprocessor? > > I need to use the Conficker preprocessor > (http://mtc.sri.com/Conficker/contrib/plugin.html) No. By default, Snortsam only blocks on rules, not on any preprocessor logins. That said, someone had modified the Snortsam plugin to work with the portscan preproc and it apparently worked. The problem with preprocessors is that you will have to hard code which IP you want to block (src or dst) at the moment. Maybe in the future a gen-block.map could be added to allow for blocking of gen_id/sig_id pairs (and picking src or dst). Regards, Frank From frank at snortsam.net Sun May 3 11:36:34 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sun, 03 May 2009 10:36:34 -0500 Subject: [Snortsam-discussion] Threading problems with Snortsam on FreeBSD 7.1 Message-ID: <1241364994.57816.9.camel@localhost> Heads up, there appear to be problems with Snortsam and multi-threading under FreeBSD 7.1. Using "makesnortsam.sh" provide the option to use pthread of libc_r. libc_r most certainly has issues with multi-threading now. But it also appears that Snortsam has issues with the pthread lib. For example, on a USR1 signal, Snortsam will only reinstate one IP and then hang when using libc_r. When compiled against phtread, Snortsam will happily reinstate existing blocks, but it appears that the threads of the plugins don't always fire, or seriously lag behind. I'm currently investigating what's going on. If you have any additional information on Snortsam under FreeBSD 7.1 and threading issues, please let me know. Thanks, Frank From frank at snortsam.net Sun May 3 12:12:10 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sun, 03 May 2009 11:12:10 -0500 Subject: [Snortsam-discussion] Threading problems with Snortsam on FreeBSD 7.1 In-Reply-To: <1241364994.57816.9.camel@localhost> References: <1241364994.57816.9.camel@localhost> Message-ID: <1241367130.57816.12.camel@localhost> Update: Snortsam seems to run great when using the 4BSD scheduler in your kernel. Switching to ULE (default for FBSD 7.1) causes problems. So, I'd suggest you stick with 4BSD until this issue is figured out (either on Snortsams side or on FBSDs side). Regards, Frank On Sun, 2009-05-03 at 10:36 -0500, Frank Knobbe wrote: > Heads up, there appear to be problems with Snortsam and multi-threading > under FreeBSD 7.1. Using "makesnortsam.sh" provide the option to use > pthread of libc_r. libc_r most certainly has issues with multi-threading > now. But it also appears that Snortsam has issues with the pthread lib. > For example, on a USR1 signal, Snortsam will only reinstate one IP and > then hang when using libc_r. When compiled against phtread, Snortsam > will happily reinstate existing blocks, but it appears that the threads > of the plugins don't always fire, or seriously lag behind. I'm currently > investigating what's going on. If you have any additional information on > Snortsam under FreeBSD 7.1 and threading issues, please let me know. From frank at snortsam.net Mon May 4 11:24:26 2009 From: frank at snortsam.net (Frank Knobbe) Date: Mon, 04 May 2009 10:24:26 -0500 Subject: [Snortsam-discussion] Threading problems with Snortsam on FreeBSD 7.1 In-Reply-To: <1241367130.57816.12.camel@localhost> References: <1241364994.57816.9.camel@localhost> <1241367130.57816.12.camel@localhost> Message-ID: <1241450666.47334.5.camel@localhost> On Sun, 2009-05-03 at 11:12 -0500, Frank Knobbe wrote: > Snortsam seems to run great when using the 4BSD scheduler in your > kernel. Switching to ULE (default for FBSD 7.1) causes problems. So, I'd > suggest you stick with 4BSD until this issue is figured out (either on > Snortsams side or on FBSDs side). Update to the update: The problem of plugin threads executing very slowly exist with both schedulers. With ULE, it is apparent immediately. With 4BSD sched, plugin threads slow down after less activity. This was observed issuing a reload (USR1 signaler) and watching Snortsam add ipfilter rules. This could also be an issue with ipf under FBSD 7.1, though my main suspect is the threading library. Note that this is present using libpthread under both schedulers, and libc_r under 4BSD. libc_r under ULE is a bad combination in general. So, if you notice threading issues under FBSD 7.1, use "nothreads" in the Snortsam config to disable multi-threading. I haven't tested FBSD 7.2 yet, but will shortly. If anyone with strong experience with POSIX threads would like to assist by checking the source code, that would be very much welcomed. The only thing I can guess is that perhaps usleep doesn't give time back like it used to. Regards, Frank From frank at snortsam.net Sat May 9 15:55:24 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sat, 09 May 2009 14:55:24 -0500 Subject: [Snortsam-discussion] Threading problems with Snortsam on FreeBSD 7.1 -- SOLVED. UPDATE NOW. In-Reply-To: <1241450666.47334.5.camel@localhost> References: <1241364994.57816.9.camel@localhost> <1241367130.57816.12.camel@localhost> <1241450666.47334.5.camel@localhost> Message-ID: <1241898924.55842.3.camel@localhost> The multi-threading issue, that surfaced (with me) under FreeBSD 7.1 using the ULE scheduler, but likely any version using ULE, has now been identified and fixed. Why the heck I put a mutex around usleep I don't remember. The patch has been committed to CVS. That brings Snortsam to version 2.59. If you are tracking the code via CVS, you are very much encouraged to update. Matt, please roll a new tar ball from the code in CVS and update any binaries, if you still offer those. Regards, Frank