Snort mailing list archives
Several problems with snort 2.9.1.2 under OpenBSD 5.0
From: carlopmart <carlopmart () gmail com>
Date: Sat, 05 Nov 2011 21:35:35 +0100
Hi all, I am trying to install snort 2.9.1.2 under an OpenBSD 5.0 server, but exists several problems. First, during compilation, console display a lot of errors, but the most common is: *** Warning: This system can not link to static lib archive /opt/soft/daq/lib/libdaq_static.la. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** But as you try to build a module library, libtool will still create *** a static module, that should work as long as the dlopening application *** is linked with the -dlopen flag to resolve symbols at runtime. .. adn others like this on every preprocessor: In file included from ../include/sf_ip.h:36, from ../include/sfPolicy.h:24, from ../include/sfPolicyUserData.c:27: /usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list /usr/include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what you want /usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list After that, and trying a minimal configuration, some preprocessors are disabled due to problems with the compilation process: snort[15646]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(64) Unknown preprocessor: "ftp_telnet". snort[8522]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(140) Unknown preprocessor: "smtp". snort[23671]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(148) Unknown preprocessor: "ssh". snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "ssl". snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "dcerpc2" ... and others like dns preprocessor, too ... After disabling all these preprocessors, and all rules associated, it seems that all works (only with 10 rules): Nov 5 20:32:40 eorlingas snort[31702]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Nov 5 20:32:40 eorlingas snort[31702]: Verifying Preprocessor Configurations! Nov 5 20:32:40 eorlingas snort[31702]: ICMP tracking disabled, no ICMP sessions allocated Nov 5 20:32:40 eorlingas snort[31702]: Nov 5 20:32:40 eorlingas snort[31702]: [ Port Based Pattern Matching Memory ] Nov 5 20:32:40 eorlingas snort[31702]: +- [ Aho-Corasick Summary ] ------------------------------------- Nov 5 20:32:40 eorlingas snort[31702]: | Storage Format : Full-Q Nov 5 20:32:40 eorlingas snort[31702]: | Finite Automaton : DFA Nov 5 20:32:40 eorlingas snort[31702]: | Alphabet Size : 256 Chars Nov 5 20:32:40 eorlingas snort[31702]: | Sizeof State : Variable (1,2,4 bytes) Nov 5 20:32:40 eorlingas snort[31702]: | Instances : 6 Nov 5 20:32:40 eorlingas snort[31702]: | 1 byte states : 6 Nov 5 20:32:40 eorlingas snort[31702]: | 2 byte states : 0 Nov 5 20:32:40 eorlingas snort[31702]: | 4 byte states : 0 Nov 5 20:32:40 eorlingas snort[31702]: | Characters : 239 Nov 5 20:32:40 eorlingas snort[31702]: | States : 223 Nov 5 20:32:40 eorlingas snort[31702]: | Transitions : 1022 Nov 5 20:32:40 eorlingas snort[31702]: | State Density : 1.8% Nov 5 20:32:40 eorlingas snort[31702]: | Patterns : 15 Nov 5 20:32:40 eorlingas snort[31702]: | Match States : 14 Nov 5 20:32:40 eorlingas snort[31702]: | Memory (KB) : 71.27 Nov 5 20:32:40 eorlingas snort[31702]: | Pattern : 1.17 Nov 5 20:32:40 eorlingas snort[31702]: | Match Lists : 1.66 Nov 5 20:32:40 eorlingas snort[31702]: | DFA Nov 5 20:32:40 eorlingas snort[31702]: | 1 byte states : 57.06 Nov 5 20:32:40 eorlingas snort[31702]: | 2 byte states : 0.00 Nov 5 20:32:40 eorlingas snort[31702]: | 4 byte states : 0.00 Nov 5 20:32:40 eorlingas snort[31702]: +---------------------------------------------------------------- Nov 5 20:32:40 eorlingas snort[31702]: [ Number of patterns truncated to 20 bytes: 3 ] Nov 5 20:32:40 eorlingas snort[31702]: Nov 5 20:32:40 eorlingas snort[31702]: Packet Performance Monitor Config: Nov 5 20:32:40 eorlingas snort[31702]: ticks per usec : 2217 ticks Nov 5 20:32:40 eorlingas snort[31702]: max packet time : 10000 usecs Nov 5 20:32:40 eorlingas snort[31702]: packet action : Nov 5 20:32:40 eorlingas snort[31702]: fastpath-expensive-packets Nov 5 20:32:40 eorlingas snort[31702]: packet logging : log Nov 5 20:32:40 eorlingas snort[31702]: debug-pkts : disabled Nov 5 20:32:40 eorlingas snort[31702]: pcap DAQ configured to passive. Nov 5 20:32:40 eorlingas snort[31702]: Acquiring network traffic from "em9". Nov 5 20:32:40 eorlingas snort[31702]: Initializing daemon mode Nov 5 20:32:40 eorlingas snort[29023]: Daemon initialized, signaled parent pid: 31702 Nov 5 20:32:40 eorlingas snort[29023]: Reload thread starting... Nov 5 20:32:40 eorlingas snort[29023]: Reload thread started, thread 0x87cd8800 (29023) Nov 5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Starting... Nov 5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Started, thread 0x8929cc00 (29023) Nov 5 20:32:40 eorlingas snort[29023]: Decoding Ethernet Nov 5 20:32:40 eorlingas snort[29023]: Checking PID path... Nov 5 20:32:40 eorlingas snort[29023]: PID path stat checked out ok, PID path set to /var/run/ Nov 5 20:32:40 eorlingas snort[29023]: Writing PID "29023" to file "/var/run//snort_em9.pid" Nov 5 20:32:48 eorlingas snort[29023]: Nov 5 20:32:48 eorlingas snort[29023]: --== Initialization Complete ==-- Nov 5 20:32:48 eorlingas snort[29023]: Commencing packet processing (pid=29023) .. But it is really hard to work with these few preprocessors ... What snort version works well with OpenBSD?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Several problems with snort 2.9.1.2 under OpenBSD 5.0 carlopmart (Nov 05)
- Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0 Joel Esler (Nov 05)
- Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0 Joel Esler (Nov 05)
- Re: Several problems with snort 2.9.1.2 under OpenBSD 5.0 Randal T. Rioux (Nov 05)