Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0

["Castle, Shane" <scastle () bouldercounty org>]

I have made changes so that snortsam can install on Fedora 14 and
snort-2.9.something (was a month or so ago and now I've removed the VM I
used) but it's doable. Some slight mods to the patches are needed.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: Jeff Kell [mailto:jeff-kell () utc edu] 
Sent: Thursday, January 06, 2011 13:29
To: Joel Esler
Cc: Castle, Shane; Snort Users
Subject: Re: [Snort-sigs] RulePack update and End of Life of 2.8.6.0

On 1/6/2011 3:17 PM, Joel Esler wrote: 

        What features of SnortSam do you guys use now?
        
        (I don't know SnortSam, at all, so walk me through it)
        


The executable (which itself is independent) here is 2.50, and it is
rather old.  But that part just plain works.



        SnortSam, v 2.50.
        Copyright (c) 2001-2006 Frank Knobbe <frank () knobbe us>
<mailto:frank () knobbe us> . All rights reserved.
        
        Plugin 'fwsam': v 2.4, by Frank Knobbe
        Plugin 'fwexec': v 2.4, by Frank Knobbe
        Plugin 'pix': v 2.8, by Frank Knobbe
        Plugin 'ciscoacl': v 2.10, by Ali Basel <alib () sabanciuniv edu>
<mailto:alib () sabanciuniv edu> 
            (etc)
        


There is a "patch" which is applied to the snort /src directory that
does the magic of installing the "fwsam:" rule hook and sid-block.map
file linkages for the "output alert_fwsam:" functionality.

It is this patch installation (and the subsequent build) that is rather
fragile.  The patch files are available from the snortsam repository.
The last I have is for 2.8.6...



        patch -p1 < ../snortsam-2.8.6.diff


And my last binary was:



        $ snort -V
        
           ,,_     -*> Snort! <*-
          o"  )~   Version 2.8.6 (Build 38)
           ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
                   Copyright (C) 1998-2010 Sourcefire, Inc., et al.
                   Using PCRE version: 6.6 06-Feb-2006
        


That was my last round on CentOS 5 with overriding libpcap-1.1.1 /
tcpdump-4.1.1 modules/libraries.  I haven't made the leap to the 2.9
additional requirements.

Jeff



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users