Re: [Snort-inline-users] Snort_inline, /proc/net/ip_queue problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

sorted! Running snort_inline as root (eliminating the '-u snort_inline -g
snort_inline' from the cmd line in /etc/conf.d/snort_inline) seems to be
working so far!

I think you are right in the GRSecurity thing because I do utilize the
randomize PIDs feature.

Are there any downfalls to running snort_inline as root?

cheers!

>
>
>
>
>
>
> I've seen the mismatched snort_inline pid and /proc/net/ip_queue Peer p=
id
> on kernels with grsecurity enabled, and it seems to still work fine for
> some reason.  I think it has something to do with pid randomization, bu=
t I
> really haven't had time to look into it.  Are you getting kern messages=
 in
> syslog about ipq peer termination or anything?  If you are running grse=
c,
> I
> would look elsewhere.
>
> Regards,
>
> Will
>
>
>
>              "Joey McCoy"
>              <ix...@cf...
>              >                                                         =
 To
>              Sent by:                  sno...@li...urcef=
org
>              snort-inline-user         e.net
>              s-...@li...u                                         =
 cc
>              rceforge.net
>                                                                    Subj=
ect
>                                        [Snort-inline-users] Snort_inlin=
e,
>              12/22/2004 11:37          /proc/net/ip_queue problem
>              AM
>
>
>
>
>
>
>
>
>
> I've been using Gentoo and snort_inline-2.1.1 for quite a while now, bu=
t
> all of a sudden snort_inline wasn't handling queued packets. I
> investigated further to find out that snort_inline's PID does not match
> the Peer PID in /proc/net/ip_queue. I've tried manually compiling
> snort-2.1.1, nogo. I've even uninstalled Gentoo's snort_inline and libn=
et,
> installed libnet-1.0.2a from source as well as snort_inline-2.2.0a, but
> still same problem.
>
> I did have this problem before, but discovered that manually starting
> snort_inline had fixed it. Why it's cropped up again, I do not know.
>
>
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users=
.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>