Snort mailing list archives
Re: Snort on Leopard 10.5.4...getting there
From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 13 Sep 2008 12:26:07 -0600
On 9/13/08 10:59 AM, "Martin Roesch" <mroesch () sourcefire com> wrote:
What's the command line and snort.conf file you're using with Snort when it errors out? If you look in the BUGS file that comes with the source distro you'll see all the info we need and where to send it to diagnose your problem. Marty On Sat, Sep 13, 2008 at 9:56 AM, James Lay <jlay () slave-tothe-box net> wrote:So I've got snort 2.8.3 running right now on Leo 10.5.4 (YaY). Dynamic preprocessors tank with a Bus Error however. Who do I send the crash log to? Also, does anyone have a good plist startup file for snort on OS X? Everything works but the filter option (example: "ip and not host bleh") doesn't seem to get passed correctly to snort: Sep 9 19:51:30 slave-tothe-box snort[346]: FATAL ERROR: OpenPcap() FSM compilation failed: \n illegal token: "\nPCAP command: "ip and not port 21746" Of course, running command line it works just fine (have I mentioned how much I loathe launchd?). Danke folks James
The command line is: /usr/snort/bin/snort -i ppp0 -D -u nobody -g nobody -o -c /usr/snort/etc/snort/snort.conf -l /usr/snort/var/log "ip and not port 21746" I used Lingon to create a .plist file and after removing the ""'s from the filter it works now. This changed from: <string>/usr/snort/var/log</string> <string>"ip</string> <string>and</string> <string>not</string> <string>port</string> <string>21746"</string> </array> To <string>ip and not port 21746</string> </array> This works fine now. As for the snort.conf, I had to comment out all the dynamic preprocessor jazz to get it to run without a Bus Error: #dynamicpreprocessor directory /usr/snort/lib/snort_dynamicpreprocessor/ #dynamicengine /usr/snort/lib/snort_dynamicengine/libsf_engine.dylib #dynamicdetection directory /usr/snort/lib/snort_dynamicrule/ and the dns, smtp, dce, and telnet/ftp dynamic preprocessors. Once that was done it came up with no error. I'll look through the BUGS and send along, but here's some of the info from the crash file: Process: snort [72780] Path: /usr/snort/bin/snort Identifier: snort Version: ??? (???) Code Type: PPC (Native) Parent Process: bash [71934] Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 ??? 0000000000 0 + 0 1 libsf_ssl_preproc.0.0.0.dylib 0x022c27d0 InitializePreprocessor + 432 2 snort 0x0004d194 InitDynamicPreprocessorPlugins + 84 3 snort 0x0004d50c InitDynamicPreprocessors + 588 4 snort 0x0001da84 SnortMain + 2276 5 snort 0x000024b4 start + 68 6 ??? 0000000000 0 + 0 Thanks Marty, James ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on Leopard 10.5.4...getting there James Lay (Sep 13)
- <Possible follow-ups>
- Re: Snort on Leopard 10.5.4...getting there James Lay (Sep 13)
- Re: Snort on Leopard 10.5.4...getting there James Lay (Sep 18)