当启动Snort时遇到"Not Using PCAP_FRAMES"的提示,并不影响Snort的正常运行。这是因为Snort在编译时未链接Phil Woods的libpcap库,PCAP_FRAMES是一个环境变量,用于设置libpcap的ring缓冲区大小。可以通过设置环境变量PCAP_FRAMES=max来消除此消息。该警告对于大多数用户并无实际意义,除非使用了特定的libpcap实现。
启动snort的时候会提示:Not using PCAP_FRAMES
上网查了一些资料,其中最经典的是下面的一个帖子,来自
http://leonward.wordpress.com/2008/07/18/not-using-pcap_frames-aka-when-good-verbosity-goes-bad/
中文也有翻译过来的,我就不解释了,直接cp过来:
中文的:
*********************************************************************************************
snort错误Not Using PCAP_FRAMES
1,最近在做snort和base的测试安装,在安装完成base以后总是会出现运行
./snort -c /etc/snort/snort.conf
总是会出现:Not Using PCAP_FRAMES 对于snort的正常运行好像是没有影响,但是为什么会出现这个问题
http://leonward.wordpress.com/2008/07/18/not-using-pcap_frames-aka-when-good-verbosity-goes-bad/ 在这篇文章中较详细的说明
简单的说出现上述错误是因为在编译snort的时候没有加上libpcap的lib库的位置,而PCAP_FRAME是一个环境变量还设置libpacp的lib库,从代码角度来看,如果没有设置PCAP_FRAME并不影响snort的运行因为在不加载PCAP_FRAMES的时候,只是会给出默认的LOGMessage
代码在这里体现的:
1163 if( getenv(“PCAP_FRAMES”) )
1164 {
1165 LogMessage(“Using PCAP_FRAMES = %s/n”, getenv(“PCAP_FRAMES”) );
1166 }
1167 else
1168 {
1169 LogMessage(“Not Using PCAP_FRAMES/n” );
1170 }
所以,总的来说出现Not Using PCAP_FRAMES对snort是没有影响的但是这里我们可以通过设置变量还改变:
命令是 export PCAP_FRAMES=max 这样就不会出现上面的问题了
Build 1>
Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 12>
Preprocessor Object: SF_SSLPP Version 1.1 <Build 3>
Preprocessor Object: SF_DCERPC Version 1.1 <Build 5>
Preprocessor Object: SF_SMTP Version 1.1 <Build 8>
Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 2>
Preprocessor Object: SF_DNS Version 1.1 <Build 3>
Preprocessor Object: SF_SSH Version 1.1 <Build 2>
Using PCAP_FRAMES = max
*** Caught Usr-Signal: 'Rotate Stats'
其实,设置或者不设置没太大的关系。不影响snort的正常工作。
***********************************************************************************
英文的:
***********************************************************************************
The same questions get posted again and again to the Snort forums, at the moment this is the most frequently misunderstood, and asked question that catches my eye.
Help !!!!!!!!
Snort doesn’t work !
It dies with a “Not Using PCAP_FRAMES” error message”.
Quick, quick help me now!
I’m ranting about this here so hopefully when people google the “Not using PCAP_FRAMES” message before blindly posting to the forums or mail lists for help (I know, I can dream), maybe this post will appear in their search results solving their non-issue.
What is an error message?
Lets look a real error messages first, unlike the above.
--== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file /this/rules/file/does/not/exist ERROR: Unable to open rules file: /this/rules/file/does/not/exist or /this/rules/file/does/not//this/rules/file/does/not/exist Fatal Error, Quitting..
The error condition above is clearly identified, other messages not prefixed with “ERROR” are supporting messages to help a user understand what the system is doing. This rule holds true with most software and not Snort alone.
What is a PCAP_FRAME?
PCAP_FRAMES is an environment variable that is used to pass a configuration setting to a custom pcap library, specifically the code by Phil Woods (Nice job by the way Phil). If you have not built snort against Phil’s libpcap that supports pcap ring buffers in shared memory, PCAP_FRAMES means absolutely NOTHING to you, zip, nout, fsck all, nada.
If you are unsure if you have built Snort against Phil’s libpcap or a stock distribution, then trust me you’re using a stock libpcap.
For those who are interested, PCAP_FRAMES defines a size (in frames) of a pcap ring-buffer in shared memory.
Are you sure? It looks like Snort stops with this as an error.
Yes I’m sure, and I find your lack of faith disturbing. Lets look at the code in snort.c to check.
1163 if( getenv(“PCAP_FRAMES”) )
1164 {
1165 LogMessage(“Using PCAP_FRAMES = %s/n”, getenv(“PCAP_FRAMES”) );
1166 }
1167 else
1168 {
1169 LogMessage(“Not Using PCAP_FRAMES/n” );
1170 }
If the environment variable PCAP_FRAMES is set, it shows the value to user during Snort initialization. If the environment variable is not set, it tell the user that PCAP_FRAMES are not being used.
For example, ill start up snort as a sniffer on my Mac with a stock libpcap.
[09:12:32]lward@drax~$ sudo snort -vdei en0 > /dev/null Password: Running in packet dump mode -snip verbose startup output-
,,_ -*> Snort! <*- o" )~ Version 2.8.0.2 (Build 75) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 7.6 2008-01-28 Not Using PCAP_FRAMES ^C*** Caught Int-Signal ============================================================== Packet Wire Totals: -SNIP-
Here Snort has started up and was sniffing without error (until I hit CRTL+C), now lets set PCAP_FRAMES to some garbage because it will have no effect on Snorts behavior or my stock libpcap.
bash-3.2# export PCAP_FRAMES="Foo Bar This setting has no impact on my libpcap instance" bash-3.2# snort -dvei en0 > /dev/null
Running in packet dump mode
--== Initializing Snort ==-- Initializing Output Plugins! Verifying Preprocessor Configurations! Initializing Network Interface en0 OpenPcap() device en0 network lookup: en0: no IPv4 address assigned Decoding Ethernet on interface en0 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.0.2 (Build 75) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 7.6 2008-01-28 Using PCAP_FRAMES = Foo Bar This setting has no impact on my libpcap instance ^C*** Caught Int-Signal ===================================
So in summary, this verbose message has no meaning to most users of Snort. If you are running Snort as an IDS but not in daemon mode, don’t expect to see anything on STDOUT until you stop the processes (hit CRTL+C to send a SIGINT).
As always, happy Snortin’
-Leon
扫一扫
1820
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
