Snort mailing list archives

Several problems with snort 2.9.1.2 under OpenBSD 5.0

From: carlopmart <carlopmart () gmail com>
Date: Sat, 05 Nov 2011 21:35:35 +0100
Hi all,

  I am trying to install snort 2.9.1.2 under an OpenBSD 5.0 server, but 
exists several problems. First, during compilation, console display a 
lot of errors, but the most common is:

*** Warning: This system can not link to static lib archive 
/opt/soft/daq/lib/libdaq_static.la.
*** I have the capability to make that library automatically link in when
*** you link to this library.  But I can only do this if you have a
*** shared version of the library, which you do not appear to have.
*** But as you try to build a module library, libtool will still create
*** a static module, that should work as long as the dlopening application
*** is linked with the -dlopen flag to resolve symbols at runtime.

  .. adn others like this on every preprocessor:

In file included from ../include/sf_ip.h:36,
                  from ../include/sfPolicy.h:24,
                  from ../include/sfPolicyUserData.c:27:
/usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside 
parameter list
/usr/include/arpa/inet.h:74: warning: its scope is only this definition 
or declaration, which is probably not what you want
/usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside 
parameter list

After that, and trying a minimal configuration, some preprocessors are 
disabled due to problems with the compilation process:


snort[15646]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(64) 
Unknown preprocessor: "ftp_telnet".

snort[8522]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(140) 
Unknown preprocessor: "smtp".

snort[23671]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(148) 
Unknown preprocessor: "ssh".

snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) 
Unknown preprocessor: "ssl".

snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) 
Unknown preprocessor: "dcerpc2"

  ... and others like dns preprocessor, too ...

  After disabling all these preprocessors, and all rules associated, it 
seems that all works (only with 10 rules):

Nov  5 20:32:40 eorlingas snort[31702]: Rule application order: 
activation->dynamic->pass->drop->sdrop->reject->alert->log
Nov  5 20:32:40 eorlingas snort[31702]: Verifying Preprocessor 
Configurations!
Nov  5 20:32:40 eorlingas snort[31702]: ICMP tracking disabled, no ICMP 
sessions allocated
Nov  5 20:32:40 eorlingas snort[31702]:
Nov  5 20:32:40 eorlingas snort[31702]: [ Port Based Pattern Matching 
Memory ]
Nov  5 20:32:40 eorlingas snort[31702]: +- [ Aho-Corasick Summary ] 
-------------------------------------
Nov  5 20:32:40 eorlingas snort[31702]: | Storage Format    : Full-Q
Nov  5 20:32:40 eorlingas snort[31702]: | Finite Automaton  : DFA
Nov  5 20:32:40 eorlingas snort[31702]: | Alphabet Size     : 256 Chars
Nov  5 20:32:40 eorlingas snort[31702]: | Sizeof State      : Variable 
(1,2,4 bytes)
Nov  5 20:32:40 eorlingas snort[31702]: | Instances         : 6
Nov  5 20:32:40 eorlingas snort[31702]: |     1 byte states : 6
Nov  5 20:32:40 eorlingas snort[31702]: |     2 byte states : 0
Nov  5 20:32:40 eorlingas snort[31702]: |     4 byte states : 0
Nov  5 20:32:40 eorlingas snort[31702]: | Characters        : 239
Nov  5 20:32:40 eorlingas snort[31702]: | States            : 223
Nov  5 20:32:40 eorlingas snort[31702]: | Transitions       : 1022
Nov  5 20:32:40 eorlingas snort[31702]: | State Density     : 1.8%
Nov  5 20:32:40 eorlingas snort[31702]: | Patterns          : 15
Nov  5 20:32:40 eorlingas snort[31702]: | Match States      : 14
Nov  5 20:32:40 eorlingas snort[31702]: | Memory (KB)       : 71.27
Nov  5 20:32:40 eorlingas snort[31702]: |   Pattern         : 1.17
Nov  5 20:32:40 eorlingas snort[31702]: |   Match Lists     : 1.66
Nov  5 20:32:40 eorlingas snort[31702]: |   DFA
Nov  5 20:32:40 eorlingas snort[31702]: |     1 byte states : 57.06
Nov  5 20:32:40 eorlingas snort[31702]: |     2 byte states : 0.00
Nov  5 20:32:40 eorlingas snort[31702]: |     4 byte states : 0.00
Nov  5 20:32:40 eorlingas snort[31702]: 
+----------------------------------------------------------------
Nov  5 20:32:40 eorlingas snort[31702]: [ Number of patterns truncated 
to 20 bytes: 3 ]
Nov  5 20:32:40 eorlingas snort[31702]:
Nov  5 20:32:40 eorlingas snort[31702]: Packet Performance Monitor Config:
Nov  5 20:32:40 eorlingas snort[31702]:   ticks per usec  : 2217 ticks
Nov  5 20:32:40 eorlingas snort[31702]:   max packet time : 10000 usecs
Nov  5 20:32:40 eorlingas snort[31702]:   packet action   :
Nov  5 20:32:40 eorlingas snort[31702]: fastpath-expensive-packets
Nov  5 20:32:40 eorlingas snort[31702]:   packet logging  : log
Nov  5 20:32:40 eorlingas snort[31702]:   debug-pkts      : disabled
Nov  5 20:32:40 eorlingas snort[31702]: pcap DAQ configured to passive.
Nov  5 20:32:40 eorlingas snort[31702]: Acquiring network traffic from 
"em9".
Nov  5 20:32:40 eorlingas snort[31702]: Initializing daemon mode
Nov  5 20:32:40 eorlingas snort[29023]: Daemon initialized, signaled 
parent pid: 31702
Nov  5 20:32:40 eorlingas snort[29023]: Reload thread starting...
Nov  5 20:32:40 eorlingas snort[29023]: Reload thread started, thread 
0x87cd8800 (29023)
Nov  5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread 
Starting...
Nov  5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread 
Started, thread 0x8929cc00 (29023)
Nov  5 20:32:40 eorlingas snort[29023]: Decoding Ethernet
Nov  5 20:32:40 eorlingas snort[29023]: Checking PID path...
Nov  5 20:32:40 eorlingas snort[29023]: PID path stat checked out ok, 
PID path set to /var/run/
Nov  5 20:32:40 eorlingas snort[29023]: Writing PID "29023" to file 
"/var/run//snort_em9.pid"



Nov  5 20:32:48 eorlingas snort[29023]:
Nov  5 20:32:48 eorlingas snort[29023]:         --== Initialization 
Complete ==--
Nov  5 20:32:48 eorlingas snort[29023]: Commencing packet processing 
(pid=29023)

  .. But it is really hard to work with these few preprocessors ... What 
snort version works well with OpenBSD??

Thanks.


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Several problems with snort 2.9.1.2 under OpenBSD 5.0 carlopmart (Nov 05)
- Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0 Joel Esler (Nov 05)
- Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0 Joel Esler (Nov 05)
  - Re: Several problems with snort 2.9.1.2 under OpenBSD 5.0 Randal T. Rioux (Nov 05)