Snort mailing list archives
Re: MySQL support for Snort 2.9.4
From: Kaya Saman <kayasaman () gmail com>
Date: Tue, 11 Dec 2012 02:28:12 +0000
On 12/11/2012 02:22 AM, Jeremy Hoel wrote:
yes.. you can use ipvar for just ipv4 only. Now that I'm in front on a computer.. I see I may have over simplified something.. You have preprocessor stanszas in your config (frag, stream, ftp, smtp, etc).. so you need to have those preprocessors loaded. When you mentioned the folder they had been looking for was empty, did you by chance look for them in another folder?
I finally found the information and it's all where it's supposed to be.
You are using OpenBSD 5.2 SPARC64 and I haven't used that, so it could be they got installed somewhere else. did you install from source or from the package manager?
Installed from source as OpenBSD doesn't yet "officially" support version 2.9.x I am using Daq version 2.0.0 from my first test with Snort 2.9.4 - could this be the issue? Should I downgrade to 1.1.1? However, the install went ok with no errors at all from Snorts point of view!
On Mon, Dec 10, 2012 at 7:14 PM, Kaya Saman <kayasaman () gmail com> wrote:On 12/11/2012 02:07 AM, Jeremy Hoel wrote:yes.. it could be. If you have no files there then you can comment those out. And you can use ipvar for ipv4 only.. that's not a problem, I jsut didn't know if you have var or ipvar before and if you planned on using ipv6 (that preprocessor was v6)Ok first quick question, can ipvar be used for both ipv4 and ipv6? Also after commenting the two preprocessor lines out: # path to dynamic preprocessor libraries #dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # path to dynamic rules libraries #dynamicdetection directory /usr/local/lib/snort_dynamicrules I get this: ERROR: /etc/snort/snort.conf(337) Unknown preprocessor: "ftp_telnet". Something still isn't right??On Mon, Dec 10, 2012 at 6:52 PM, Kaya Saman <kayasaman () gmail com> wrote:On 12/11/2012 01:41 AM, Jeremy Hoel wrote: Without looking at the Google's, normally preprocessor errors are missing files. Look in your snort conf and make sure the paths to the preprocessors are correct. And if you are using ipv6 addresses make sure you use ipvar vs var in snort conf. Hmm.... this is interesting. I reverted my config back from ipvar to var since I'm using IPv4. The libraries are setup as such: # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # path to dynamic rules libraries dynamicdetection directory /usr/local/lib/snort_dynamicrules of which they are all there: # ls /usr/local/lib | grep snort snort_dynamicengine snort_dynamicpreprocessor snort_dynamicrules The rules have been setup as such: var RULE_PATH ./rules var SO_RULE_PATH ./so_rules var PREPROC_RULE_PATH ./preproc_rules All the *rules files and directories reside within /etc/snort/ - I have also attempted to put the full dir path too; /etc/snort/rules etc... - which didn't yield any difference. I'm not sure what's going on, I don't have anything in the dynamicrules or dynamicpreprocessor folders though! Could this be the issue? Regards, Kaya On Dec 10, 2012 6:16 PM, "Kaya Saman" <kayasaman () gmail com> wrote:On 12/11/2012 01:13 AM, beenph wrote: On Mon, Dec 10, 2012 at 8:04 PM, Kaya Saman <kayasaman () gmail com> wrote:I've just compiled and installed Barnyard2 now and currently working on the integration with snort 2.9.3.1. I just wonder if I will need to do anything different for my BASE setup??No, it uses the same schema and should continue to work as expected, the main difference being that its barnyard2 that feeds the database. -elz Thanks for the response! I know I should ask this in a new Subject Heading however I'm getting this error while trying to start Snort: ERROR: Failed to initialize dynamic preprocessor: SF_SSLPP (IPV6) version 1.1.4 (-1) # snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.3.1 IPv6 GRE (Build 40) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.3.0 Using PCRE version: 8.30 2012-02-04 Using ZLIB version: 1.2.3 OS is OpenBSD 5.2 SPARC64 Am running: snort -T -i trunk0 -c /etc/snort/snort.conf to start snort Am currently Google'ing it but not getting very far....... Regards, Kaya
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: MySQL support for Snort 2.9.4, (continued)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 beenph (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 11)
- Re: MySQL support for Snort 2.9.4 Jeremy Hoel (Dec 11)
- Re: MySQL support for Snort 2.9.4 Kaya Saman (Dec 10)