Snort mailing list archives
Compiling with gcc.
From: "Fallon, Benjamin" <bfallon () Businessedge com>
Date: Sun, 3 Feb 2002 20:56:53 -0500
Hello all. I'm a new subscriber but just wanted to submit a quick tip that I used when I compiled with gcc. At first it kept having problems with gcc but after executing the following, everything seemed to work fine. I've installed snort on many platforms so far that use gcc as the compiler. first: CC = gcc second: export CC Hope this helps someone else that might run into the same problems with gcc. Works with all versions (even the broken ones). -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Saturday, February 02, 2002 10:34 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #1544 - 10 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: snort-1.8.3 compile with GCC.....!!!! (Ralf Hildebrandt) 2. Re: snort-1.8.3 compile with GCC.....!!!! (Fyodor) 3. RE: Customization of rules (Russell Fulton) 4. Re: 1.8.4-beta1 feedback? (Phil Wood) 5. snort 1.8.4b1 dumping core (Kris Kennaway) 6. Newbie: Snort Configuration (Jeff Elkins) 7. Re: Newbie: Snort Configuration (Jeff Elkins) 8. Re: snort 1.8.4b1 dumping core (Martin Roesch) 9. Re: snort 1.8.4b1 dumping core (Kris Kennaway) 10. Snort on W2K Server (Jeff Jennings) --__--__-- Message: 1 Date: Sat, 2 Feb 2002 11:39:22 +0100 From: Ralf Hildebrandt <Ralf.Hildebrandt () charite de> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort-1.8.3 compile with GCC.....!!!! On Fri, Feb 01, 2002 at 05:37:19PM -0500, PAD HOSMANE wrote:
Sorry guys i am asking too much, excuse me please i am not an
programmer. Never mind.
Finally i was able to run configure successfully with gcc. Now i am
getting
error while linking. Error is given below. I tried with Libnet 1.0.2a and libnet 1.0.1, both of them gave the same error. SHLIB_PATH, LD_LIBRARY_PATH, PATH are set. Any inputs will be
greatly
appreciated. Thanks. gcc -g -O2 -Wall -DENABLE_RESPONSE -DLIBNET_BIG_ENDIAN -L/opt/libpcap/lib
-
L/opt/mysql/lib/mysql -L/usr/local/ssl/lib -o snort snort.o log.o
decode.o
mstring.o rules.o plugbase.o sp_pattern_match.o sp_tcp_flag_check.o sp_icmp_type_check.o sp_icmp_code_check.o sp_ttl_check.o sp_ip_id_check.o sp_tcp_ack_check.o sp_tcp_seq_check.o sp_dsize_check.o spp_http_decode.o spp_portscan.o sp_ipoption_check.o sp_rpc_check.o sp_icmp_id_check.o sp_icmp_seq_check.o sp_respond.o spo_alert_syslog.o spo_log_tcpdump.o spo_database.o sp_session.o spp_defrag.o parser.o spo_alert_fast.o spo_alert_full.o spo_alert_smb.o spo_alert_unixsock.o sp_react.o
spo_xml.o
sp_ip_tos_check.o snprintf.o checksum.o spp_tcp_stream2.o sp_reference.o sp_ip_fragbits.o spp_anomsensor.o tag.o spp_unidecode.o codes.o
strlcpyu.o
strlcatu.o debug.o sp_tcp_win_check.o spp_rpc_decode.o spp_bo.o spp_telnet_negotiation.o spo_csv.o sp_ip_same_check.o sp_priority.o sp_ip_proto.o ubi_BinTree.o ubi_SplayTree.o spo_unified.o spp_stream4.o spp_frag2.o spp_arpspoof.o spo_idmef.o spo_SnmpTrap.o po_log_null.o -lpcap -lm -lnsl -lmysqlclient -lssl -lcrypto -lnet /usr/ccs/bin/ld: (Warning) At least one PA 2.0 object file (/usr/local/ssl/lib/libssl.a(t1_clnt.o)) was detected. The linked output
may
not run on a PA 1.x system. /usr/ccs/bin/ld: Unsatisfied symbols: libnet_error (first referenced in sp_respond.o) (code) libnet_build_icmp_unreach (first referenced in sp_respond.o) (code) libnet_write_ip (first referenced in sp_respond.o) (code) libnet_build_ip (first referenced in sp_respond.o) (code) libnet_build_tcp (first referenced in sp_respond.o) (code) libnet_open_raw_sock (first referenced in sp_respond.o) (code) libnet_init_packet (first referenced in sp_respond.o) (code) libnet_do_checksum (first referenced in sp_respond.o) (code) libnet_destroy_packet (first referenced in sp_react.o) (code) libnet_get_prand (first referenced in sp_respond.o) (code)
Run "nm" on the libnet.* libraries. Does that list the symbols unsatisfied above? -- Ralf Hildebrandt (Im Auftrag des Referat V A) Ralf.Hildebrandt () charite de Charite Campus Virchow-Klinikum Tel. +49 (0)30-450 570-155 Referat V A - Kommunikationsnetze - Fax. +49 (0)30-450 570-916 During the million-dollar BIND 9 rewrite, Paul Vixie characterized the original BIND code as 'sleazeware produced in a drunken fury by a bunch of U C Berkeley grad students.' -- D.J. Bernstein --__--__-- Message: 2 Date: Sun, 3 Feb 2002 00:02:11 +0700 From: Fyodor <fygrave () tigerteam net> To: PAD HOSMANE <phosmane () apollo fedworld gov> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] snort-1.8.3 compile with GCC.....!!!!
sh-2.05# gcc /tmp/foo.c -o /tmp/foo /tmp/foo.c: In function `main': /tmp/foo.c:3: warning: return type of `main' is not `int' as: warning 2: Unknown option "--traditional-format" ignored. as: "/var/tmp/cc1qhEkd.s", line 22: error 1052: Directive name not recognized - NSUBSPA I even re-installed gcc 3.0.1 (on HP-UX 11.00) and tried to compile your program and i get the same message given above.
Well, this is more gcc/port issue rather than snort issue, but try to install different gcc package, or install binutils all together (including as). I saw it once on one of the systems, but I forgot how we fixed it, I think we just downloaded different gcc package (which wasn't broken). --__--__-- Message: 3 From: Russell Fulton <R.FULTON () auckland ac nz> To: snort-users () lists sourceforge net Date: 03 Feb 2002 12:19:37 +1300 Subject: [Snort-users] RE: Customization of rules
Message: 14
From: Chip Kelly <Chip.Kelly () sas com>
To: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
Date: Fri, 1 Feb 2002 09:36:20 -0500
Subject: [Snort-users] Customization of rules
I'm just getting comfortable with the changes that I've made to the rules
that
are supplied with 1.8.3. Most of the changes are localized in
local.rules, but
I have also made changes to the way some of the other rules work in order
to
reduce false positives in my environment. My question - how do I preserve
the
customized rules in files other than local.rules when I update my rule
sets
either from an update to snort or simply an update to my rules files? I'm not looking forward to handling each customization individually. -chip
I have the same problem. What I have done so far is to write a perl script
which takes a list of SIDs comments the rules out. I want to extend this to
cover simple modifications, eg added options, changed targets etc but have
not
had time to do so.
--
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
--__--__--
Message: 4
From: Phil Wood <cpw () lanl gov>
Date: Sat, 2 Feb 2002 16:34:23 -0700
To: Michael Anderson <mca () arlut utexas edu>
Cc: Martin Roesch <roesch () sourcefire com>,
snort-users <snort-users () lists sourceforge net>,
snort-dev <snort-devel () lists sourceforge net>
Subject: Re: [Snort-users] 1.8.4-beta1 feedback?
--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
This is my cut on a patch to fix the DropStats. To incorporate the patch:
% tar -zxf snort-1.8.4-beta1.tar.gz
% cd snort-1.8.4-beta1
% patch -p1 < patch-snort
Voila.
Attached is patch-snort.
On Fri, Feb 01, 2002 at 08:50:18AM -0600, Michael Anderson wrote:
Are you going to update DropStats to correctly print out drop and receive
stats based on Phil Wood's comment in:
http://marc.theaimsgroup.com/?l=snort-users&m=101233898729378&w=2 I have updated my own version with what I think is the correct behavior,
at least for linux. Otherwise everything looks good to me.
-Mike Anderson Martin Roesch wrote:Good morning, I can see from the weblogs that 730 of you have downloaded 1.8.4-beta1, does anyone have any feedback or is it perfect in all ways and ready for release? :) -Marty -- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Phil Wood, cpw () lanl gov
--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-snort
--- beta/snort-1.8.4-beta1/snort.c Wed Jan 30 03:06:31 2002
+++ snort-1.8.4-beta1/snort.c Sat Feb 2 00:48:33 2002
@@ -3074,6 +3101,7 @@
if(pv.quiet_flag)
return;
+ recv = (float) (pc.tcp + pc.udp + pc.icmp + pc.arp + pc.ipx + pc.ipv6
+ pc.other + pc.frags + pc.discards - pc.rebuilt_frags);
/*
* you will hardly run snort in daemon mode and read from file i that
is
* why no `LogMessage()' here
@@ -3082,36 +3110,34 @@
{
puts("\n\n==================================================================
=============\n");
- recv = (float) (pc.tcp + pc.udp + pc.icmp + pc.arp + pc.ipx +
pc.ipv6 + pc.other + pc.frags);
- drop = 0;
printf("Snort processed %d packets.\n", (int) recv);
puts("Breakdown by protocol: Action Stats:\n");
printf(" TCP: %-10ld (%.3f%%)%-*sALERTS: %-10ld\n",
- pc.tcp, CalcPct((float) pc.tcp, recv + drop),
- CalcPct((float)pc.tcp,recv + drop)<10?10:9 , " ",
pc.alert_pkts);
+ pc.tcp, CalcPct((float) pc.tcp, recv),
+ CalcPct((float)pc.tcp,recv)<10?10:9 , " ", pc.alert_pkts);
printf(" UDP: %-10ld (%.3f%%)%-*sLOGGED: %-10ld\n",
- pc.udp, CalcPct((float) pc.udp, recv + drop),
- CalcPct((float)pc.udp,recv + drop)<10?10:9, " ",
pc.log_pkts);
+ pc.udp, CalcPct((float) pc.udp, recv),
+ CalcPct((float)pc.udp,recv)<10?10:9, " ", pc.log_pkts);
printf(" ICMP: %-10ld (%.3f%%)%-*sPASSED: %-10ld\n",
- pc.icmp, CalcPct((float) pc.icmp, recv + drop),
- CalcPct((float)pc.icmp,recv + drop)<10?10:9, " ",
pc.pass_pkts);
- printf(" ARP: %-10ld (%.3f%%)\n", pc.arp, CalcPct((float)
pc.arp, recv + drop));
- printf(" IPv6: %-10ld (%.3f%%)\n", pc.ipv6, CalcPct((float)
pc.ipv6, recv + drop));
- printf(" IPX: %-10ld (%.3f%%)\n", pc.ipx, CalcPct((float)
pc.ipx, recv + drop));
- printf(" OTHER: %-10ld (%.3f%%)\n", pc.other, CalcPct((float)
pc.other, recv + drop));
+ pc.icmp, CalcPct((float) pc.icmp, recv),
+ CalcPct((float)pc.icmp,recv)<10?10:9, " ", pc.pass_pkts);
+ printf(" ARP: %-10ld (%.3f%%)\n", pc.arp, CalcPct((float)
pc.arp, recv));
+ printf(" IPv6: %-10ld (%.3f%%)\n", pc.ipv6, CalcPct((float)
pc.ipv6, recv));
+ printf(" IPX: %-10ld (%.3f%%)\n", pc.ipx, CalcPct((float)
pc.ipx, recv));
+ printf(" OTHER: %-10ld (%.3f%%)\n", pc.other, CalcPct((float)
pc.other, recv));
printf("====================================================================
===========\n");
printf("Fragmentation Stats:\n");
- printf("Fragmented IP Packets: %-10ld (%-3.3f%%)\n", pc.frags,
CalcPct((float) pc.frags, recv + drop));
+ printf("Fragmented IP Packets: %-10ld (%-3.3f%%)\n", pc.frags,
CalcPct((float) pc.frags, recv));
printf(" Rebuilt IP Packets: %-10ld\n", pc.rebuilt_frags);
printf(" Frag elements used: %-10ld\n", pc.rebuild_element);
printf("Discarded(incomplete): %-10ld\n", pc.frag_incomp);
printf(" Discarded(timeout): %-10ld\n", pc.frag_timeout);
puts("======================================================================
=========\n");
printf("TCP Stream Reassembly Stats:\n");
- printf(" TCP Packets Used: %-10ld (%-3.3f%%)\n",
pc.tcp_stream_pkts, CalcPct((float) pc.tcp_stream_pkts, recv + drop));
- printf(" Reconstructed Packets: %-10ld (%-3.3f%%)\n",
pc.rebuilt_tcp,CalcPct((float) pc.rebuilt_tcp, recv + drop));
+ printf(" TCP Packets Used: %-10ld (%-3.3f%%)\n",
pc.tcp_stream_pkts, CalcPct((float) pc.tcp_stream_pkts, recv));
+ printf(" Reconstructed Packets: %-10ld (%-3.3f%%)\n",
pc.rebuilt_tcp,CalcPct((float) pc.rebuilt_tcp, recv));
printf(" Streams Reconstructed: %-10ld\n", pc.tcp_streams);
puts("======================================================================
=========\n");
@@ -3125,50 +3151,44 @@
}
else
{
- recv = (float) ps.ps_recv;
drop = (float) ps.ps_drop;
LogMessage("\n\n===================================="
"===========================================\n");
- LogMessage("Snort analyzed %d out of %d packets, ",
- ps.ps_recv, ps.ps_recv+ps.ps_drop);
+ LogMessage("Snort analyzed %d out of %d packets.",
+ (unsigned long) recv, ps.ps_recv);
- if(ps.ps_recv)
- {
- LogMessage("dropping %d(%.3f%%) packets\n\n",
+ LogMessage(" The kernel dropped %d(%.3f%%).\n\n",
ps.ps_drop,
- CalcPct( (float) ps.ps_drop, (float)
(ps.ps_recv+ps.ps_drop) ));
- }
- else
- {
- LogMessage(".\n");
- }
+ CalcPct( (float) ps.ps_drop, (float) (ps.ps_recv)
));
+
+ recv = (float) ps.ps_recv;
LogMessage("Breakdown by protocol: Action
Stats:\n");
LogMessage(" TCP: %-10ld (%.3f%%)%-*sALERTS: %-10ld\n",
- pc.tcp, CalcPct((float) pc.tcp, recv + drop),
- CalcPct((float)pc.tcp,recv + drop)<10?10:9 , " ",
pc.alert_pkts);
+ pc.tcp, CalcPct((float) pc.tcp, recv),
+ CalcPct((float)pc.tcp,recv)<10?10:9 , " ",
pc.alert_pkts);
LogMessage(" UDP: %-10ld (%.3f%%)%-*sLOGGED: %-10ld\n",
- pc.udp, CalcPct((float) pc.udp, recv + drop),
- CalcPct((float)pc.udp,recv + drop)<10?10:9, " ",
pc.log_pkts);
+ pc.udp, CalcPct((float) pc.udp, recv),
+ CalcPct((float)pc.udp, recv)<10?10:9, " ",
pc.log_pkts);
LogMessage(" ICMP: %-10ld (%.3f%%)%-*sPASSED: %-10ld\n",
- pc.icmp, CalcPct((float) pc.icmp, recv + drop),
- CalcPct((float)pc.icmp,recv + drop)<10?10:9, " ",
pc.pass_pkts);
+ pc.icmp, CalcPct((float) pc.icmp, recv),
+ CalcPct((float)pc.icmp,recv)<10?10:9, " ",
pc.pass_pkts);
LogMessage(" ARP: %-10ld (%.3f%%)\n",
- pc.arp, CalcPct((float) pc.arp, recv + drop));
+ pc.arp, CalcPct((float) pc.arp, recv));
LogMessage(" IPv6: %-10ld (%.3f%%)\n",
- pc.ipv6, CalcPct((float) pc.ipv6, recv + drop));
+ pc.ipv6, CalcPct((float) pc.ipv6, recv));
LogMessage(" IPX: %-10ld (%.3f%%)\n",
- pc.ipx, CalcPct((float) pc.ipx, recv + drop));
+ pc.ipx, CalcPct((float) pc.ipx, recv));
LogMessage(" OTHER: %-10ld (%.3f%%)\n",
- pc.other, CalcPct((float) pc.other, recv + drop));
+ pc.other, CalcPct((float) pc.other, recv));
LogMessage("DISCARD: %-10ld (%.3f%%)\n",
- pc.discards, CalcPct((float) pc.discards, recv +
drop));
+ pc.discards, CalcPct((float) pc.discards, recv));
LogMessage("================================================"
"===============================\n");
LogMessage("Fragmentation Stats:\n");
LogMessage("Fragmented IP Packets: %-10ld (%.3f%%)\n",
- pc.frags, CalcPct((float) pc.frags, recv + drop));
+ pc.frags, CalcPct((float) pc.frags, recv));
LogMessage(" Fragment Trackers: %-10ld\n",
pc.frag_trackers);
LogMessage(" Rebuilt IP Packets: %-10ld\n",
@@ -3187,7 +3207,7 @@
LogMessage("TCP Stream Reassembly Stats:\n");
LogMessage(" TCP Packets Used: %-10ld (%-3.3f%%)\n",
pc.tcp_stream_pkts,
- CalcPct((float) pc.tcp_stream_pkts, recv + drop));
+ CalcPct((float) pc.tcp_stream_pkts, recv));
LogMessage(" Stream Trackers: %-10ld\n",
pc.tcp_streams);
LogMessage(" Stream flushes: %-10ld\n",
pc.rebuilt_tcp);
LogMessage(" Segments used: %-10ld\n",
pc.rebuilt_segs);
@@ -3199,7 +3219,6 @@
return;
}
-
void ReadConfFile()
{
--ew6BAiZeqk4r7MaW--
--__--__--
Message: 5
Date: Sat, 2 Feb 2002 15:39:28 -0800
From: Kris Kennaway <kris () obsecurity org>
To: snort-users () sourceforge net
Subject: [Snort-users] snort 1.8.4b1 dumping core
--oyUTqETQ0mS9luUI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I've just seen snort 1.8.4b1 dump core twice in close succession on my
FreeBSD 4.5 box. I'm running with the default config file from the
latest CVS snort ruleset, modulo HOME_NET and EXTERNAL_NET. Both
crashed in the same place:
Program terminated with signal 11, Segmentation fault.
#0 0x280bab5f in ?? ()
(gdb) bt
#0 0x280bab5f in ?? ()
#1 0x280ba7bb in ?? ()
#2 0x804c121 in InterfaceThread (arg=0x80bb000) at snort.c:1675
#3 0x804a841 in main (argc=50652, argv=0xfe8f7d04) at snort.c:478
Kris
--oyUTqETQ0mS9luUI
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8XHivWry0BWjoQKURAmeKAKCtZPcaUhk9oIv6HSJxNd93CnR8zwCg5x9a
epVGT+baZourALII39q4V8w=
=biF0
-----END PGP SIGNATURE-----
--oyUTqETQ0mS9luUI--
--__--__--
Message: 6
From: Jeff Elkins <jeff () elkins org>
Reply-To: snort-users () lists sourceforge net
To: snort-users () lists sourceforge net
Date: Sat, 2 Feb 2002 19:25:42 -0500
Subject: [Snort-users] Newbie: Snort Configuration
Hello list,
I searched the FAQ as well as the web discussion boards and didn't see an
obvious answer to my question.
I'm attempting to configure Snort 1.8.4-beta1 build 91 for use on a small
seven node LAN. All boxen are running RH7.2. I built Snort from the tarball
and configure/make/make install seemed to work perfectly.
The Snort box has two ethernet interfaces: eth0 is connected to a Netgear
FS108 8 port switch (as is the rest of the LAN) and eth1 is connected to an
Alcatel DSL modem. The resulting pppoe->ppp0 connection is shared among all
boxes and a basic ipchains firewall is in place.
eth0=192.168.0.1
eth1=10.0.0.10
Alcatel switch=10.0.0.138 (factory preset)
ppp0=variable IP
Snort will only initialize itself for eth0 and while portscans within the
LAN
trigger an alert, external ones do not. I've tried setting HOME_NET to
10.0.010/24 and 10.0.0.138/24 - plus the $ppp0_ADDRESS and $eth1_ADDRESS
variables fail with: bad value in variable definition. Make sure you don't
have a "$" in the var name. Using HOME_NET any also fails to pick up
external
portscans.
Thanks for any assistance.
Jeff Elkins
--__--__--
Message: 7
From: Jeff Elkins <jeff () elkins org>
Reply-To: snort-users () lists sourceforge net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Newbie: Snort Configuration
Date: Sat, 2 Feb 2002 21:27:37 -0500
eth0=192.168.0.1 eth1=10.0.0.10 Alcatel switch=10.0.0.138 (factory preset) ppp0=variable IP
Mistyped...Just to clarify, Alcatel switch above is the DSL modem, not a
switch. Additionally, I tried all the previous steps with no firewall in
place with the same negative results.
Jeff
--__--__--
Message: 8
Date: Sat, 02 Feb 2002 21:34:50 -0500
From: Martin Roesch <roesch () sourcefire com>
To: Kris Kennaway <kris () obsecurity org>
CC: snort-users () sourceforge net
Subject: Re: [Snort-users] snort 1.8.4b1 dumping core
What output modes are you using?
-Marty
Kris Kennaway wrote:
I've just seen snort 1.8.4b1 dump core twice in close succession on my FreeBSD 4.5 box. I'm running with the default config file from the latest CVS snort ruleset, modulo HOME_NET and EXTERNAL_NET. Both crashed in the same place: Program terminated with signal 11, Segmentation fault. #0 0x280bab5f in ?? () (gdb) bt #0 0x280bab5f in ?? () #1 0x280ba7bb in ?? () #2 0x804c121 in InterfaceThread (arg=0x80bb000) at snort.c:1675 #3 0x804a841 in main (argc=50652, argv=0xfe8f7d04) at snort.c:478 Kris ------------------------------------------------------------------------ Part 1.2Type: application/pgp-signature
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional-grade Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- Message: 9 Date: Sat, 2 Feb 2002 19:24:11 -0800 From: Kris Kennaway <kris () obsecurity org> To: Martin Roesch <roesch () sourcefire com> Cc: Kris Kennaway <kris () obsecurity org>, snort-users () sourceforge net Subject: Re: [Snort-users] snort 1.8.4b1 dumping core --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Feb 02, 2002 at 09:34:50PM -0500, Martin Roesch wrote:
What output modes are you using?
Entirely the defaults.
I've just seen snort 1.8.4b1 dump core twice in close succession on my FreeBSD 4.5 box. I'm running with the default config file from the latest CVS snort ruleset, modulo HOME_NET and EXTERNAL_NET. Both crashed in the same place:
Kris --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8XK1aWry0BWjoQKURAp/GAJkBjHN5YSEV5LQhkZI/L1ynwWkxrgCgo2aD YCt8eNsnog07UCogJdx9NWk= =UGEC -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- --__--__-- Message: 10 Reply-To: <jjennings () zoominternet net> From: "Jeff Jennings" <jjennings () zoominternet net> To: <snort-users () lists sourceforge net> Date: Sat, 2 Feb 2002 22:31:04 -0500 Subject: [Snort-users] Snort on W2K Server This is a multi-part message in MIME format. ------=_NextPart_000_0003_01C1AC39.4D353310 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Followed the directions verbatim on silicondefence.com to installation of Snort & MySql Snort is working fine, MySql appears to be working fine, but I cannot get Snort to save data in MySQL tables.. Any ideas? Went thru everything about 4 times today to make sure I had not missed a step, but no luck. Thanks in advance. ------=_NextPart_000_0003_01C1AC39.4D353310 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40";> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:filelist.xml@01C1AC39.4CCA3C40"> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:SpellingState>Clean</w:SpellingState> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} span.EmailStyle17 {mso-style-type:personal-compose; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:windowtext;} span.SpellE {mso-style-name:""; mso-spl-e:yes;} span.GramE {mso-style-name:""; mso-gram-e:yes;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Followed the directions verbatim on = silicondefence.com to installation of Snort & <span = class=3DSpellE>MySql</span><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Snort is working fine, <span = class=3DSpellE>MySql</span> appears to be working fine, but I cannot get Snort to save data in <span class=3DSpellE>MySQL</span> tables….<o:p></o:p></span></font></p> <p class=3DMsoNormal><span class=3DGramE><font size=3D2 = face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>Any = ideas?</span></font></span><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p=
<p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Went thru everything about 4 times today to make sure = I had not missed a step, but no luck.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Thanks in advance.<o:p></o:p></span></font></p> </div> </body> </html> ------=_NextPart_000_0003_01C1AC39.4D353310-- --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Compiling with gcc. Fallon, Benjamin (Feb 03)