Snort mailing list archives
Re: libpcap question?
From: "J. Craig Woods" <drjung () trismegistus net>
Date: Sun, 15 Sep 2002 15:16:14 -0500
Jason Costomiris wrote:
On Sun, Sep 15, 2002 at 12:51:47PM -0500, J. Craig Woods wrote: : > That RPM was built against RedHat. Get the SRPM and rpm --rebuild to suit : > your system's lib versions.. : : Yea, I could see that it was built for RedHat but when trying to rebuild : the src rpm, I was getting mysql-devel dependency problems, even though : I have all the mysql components installed, including mysql-devel. You're on Mandrake, right? You don't have a mysql-devel package. You have a libmysql10-devel package, or so it seems. Besides, you seem to be using the Mandrake cooker, which already has snort rpms in it, why not use them?
Yes and no. First, I am running my gateway/router machine with older mandrake version, LMDK7.2 (No thanks, I do not want to upgrade. Too much work has gone into this baby, i.e. some very extensive, manually created, ipchains rules, hand-crafted tripwire configuration with every file loaded, and many other cooker and "homemade" customizations). As I indicated, it is fully loaded with mysql components: "rpm -qa | grep MySQL" MySQL-client-3.23.31-1.1mdk MySQL-devel-3.23.31-1.1mdk MySQL-shared-3.23.31-1.1mdk MySQL-3.23.31-1.1mdk MySQL-bench-3.23.31-1.1mdk Still snort src (snort.org version) would not compile for me. As I indicated, it gave me some gibberish about not finding mysql-devel. Maybe a "case" problem, you think? Mandrake cooker version of snort-1.8.7 requires GLIBC 2.2, which 7.2 does not have, and I am not willing to break most everything in the OS to upgrade GLIBC. So the new mandrake snort version is a *no* go for me. I wanted the latest rpm version of snort, and Snort-1.8.7-1snort, from snort.org, works nicely for my box, once I hacked on the lib thing, i.e. setup some symlinks. Here is a question for you, Jason: What is going on with your MTA? Evertime my mail server receives mail from you, I get alerts: [**] [1:654:5] SMTP RCPT TO overflow [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] 09/15-13:37:37.425611 146.145.196.12:39458 -> 4.64.80.236:25 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1765 ***AP*** Seq: 0x2BC79AD Ack: 0x745A5EE Win: 0x7D78 TcpLen: 20 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0260] [Xref => http://www.securityfocus.com/bid/2283] (When posting to snort list, I have never understood the need to obfuscate IP addresses: they are all in the mail headers, right?) Any thoughts on this alert? drjung -- J. Craig Woods UNIX Network/System Administration http://www.trismegistus.net/resume.html Character is built upon the debris of despair --Emerson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- libpcap question? J. Craig Woods (Sep 15)
- Re: libpcap question? Jason Costomiris (Sep 15)
- Re: libpcap question? J. Craig Woods (Sep 15)
- Re: libpcap question? Jason Costomiris (Sep 15)
- Re: libpcap question? J. Craig Woods (Sep 15)
- Re: libpcap question? Jason Costomiris (Sep 15)
- Re: libpcap question? J. Craig Woods (Sep 15)
- Re: libpcap question? Jason Costomiris (Sep 15)