Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: AW: Snort Inline - ip_queue dies

From: webcatalog () mac com
Date: Wed, 12 Mar 2003 11:24:36 -0600
I got snort-inline 1.9.1 to compile, I did hit 3 snags, here is how I got it to compile finally. 


 ERROR!  Libipq library/headers not found, go get it from
    www.netfilter.org
    or use the --with-libipq-* options, if you have it installed
    in unusual place


I forgot to run "make install-devel"  on the iptables-1.2.7a install

The second complained about libnet.h,


/usr/include/libnet.h:87:8: warning: multi-line string literals are
deprecated
make[3]: *** [inline.o] Error 1
make[3]: Leaving directory `/root/snort_inline-1.9.1/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/snort_inline-1.9.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/snort_inline-1.9.1'
make: *** [all] Error 2


once I restarted with iptables1.2.7a, that disappeared.

the next snag was with libpcap I had to create a pcap directory


inline.c:2:23: pcap/pcap.h: No such file or directory
make[3]: *** [inline.o] Error 1
make[3]: Leaving directory `/root/snort-inline/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/snort-inline/src'


mkdir /usr/include/pcap
cd /usr/include/pcap
ln -s ../pcap.h pcap.h
ln -s ../pcap-namedb.h pcap-namedb.h

This will create sym links in the pcap directory.
Once I did this everything worked great. Now I just need to patch the kernel, so I can get ip_queue to work. where did you get the patch-o-matic? 

Sincerely,


On Wednesday, March 12, 2003, at 02:25 AM, Jochen Vogel wrote:


hi,

i did the following

-installed RedHat8.0 minimal
-updated all packages over RHN
-get kernel-2.4.18-26.8.0 from RHN
-installed patch-o-matic-20030107
-installed iptables-1.2.7a
-compiled a 2kernel (1 with ip_queue as module and 1 with ip_queue in the 
kernel)
-compiled snort-inline1.9.0 with --enable-inline

------------------------------------------------------------
snort-inline1.9.0 would compile and work well for a few minutes till i get 
an segmentation fault

snort-inline1.9.1 wouldn´t compile by a problem with libnet

------------------------------------------------------------
i saw that the ./configure from 1.9.1 check for libnet 1.0.x. 1.9.0 didn´t 
check the libnet version. i use libnet.h in version 1.1.1.1.

thx for help
jo






-----Ursprüngliche Nachricht-----
Von: Slighter, Tim [mailto:tslighter () itc nrcs usda gov]
Gesendet: Dienstag, 11. März 2003 15:38linux-2.4.18-26.8.0
An: 'Jochen Vogel'
Cc: 'snort-users () sourceforge net'
Betreff: RE: [Snort-users] Snort Inline - ip_queue dies


Hate to drag you over the coals, but need a few more answers.
 You have the
normal build of snort-1.9.0 on your system right?  And then
you compiled
snort-inline.tgz on top of that right?  You also succesfully built the
iptables-1.2.7a from netfilter?  Providing all of that has been done.
Wherever you "--prefix" snort-inline to...there will be a binary for
snort-inline.  Traditionally this binary will be in
/usr/local/snort/bin...this is the binary that you must use
when running
snort-inline...otherwise you are using the normal snort
binary and that will
not work.  In your command line, try and run the snort-inline
binary in
daemon mode as well:

/usr/local/bin/snort -D -d -v -c /etc/snort/snort.conf -Q -i ppp0 -l
/var/log/snort/Mar_10/

-----Original Message-----
From: Jochen Vogel [mailto:jvogel () it-sec de]
Sent: Tuesday, March 11, 2003 1:44 AM
To: 'Slighter, Tim'; snort-users () sourceforge net
Subject: AW: [Snort-users] Snort Inline - ip_queue dies


hi,

i use:
-minimal RedHat8.0 with all updates
-iptables1.2.7a
-snort_inline1.9.0 (1.9.1 wouldn´t compile)

-i used a kernel with ip_queue as module and did a modprobe ip_queue
-at the moment i use a kernel with the ip_queue in it

both kernel same failure
snort_inline works till the moment of the segmentation fault

thx for help
jo


-----Ursprüngliche Nachricht-----
Von: Slighter, Tim [mailto:tslighter () itc nrcs usda gov]
Gesendet: Montag, 10. März 2003 19:27
An: 'Jochen Vogel'; snort-users () sourceforge net
Betreff: RE: [Snort-users] Snort Inline - ip_queue dies


did you verify that the mod exists for ip_queue?  "lsmod |
grep ip_queue" or
just "lsmod" ??  if not, what I did to work around that is
add that part
into the inline script or the snortd script near the
top...../sbin/modprobe
ip_queue




-----Original Message-----
From: Jochen Vogel [mailto:jvogel () it-sec de]
Sent: Monday, March 10, 2003 9:40 AM
To: snort-users () sourceforge net
Subject: AW: [Snort-users] Snort Inline - ip_queue dies


if i start snort not as daemon

/usr/local/bin/snort -d -v -c /etc/snort/snort.conf -Q -i ppp0 -l
/var/log/snort/Mar_10/

i get an "segmentation fault" at the same moment i get the
ip_queue failure



-----Ursprüngliche Nachricht-----
Von: Jochen Vogel [mailto:jvogel () it-sec de]
Gesendet: Montag, 10. März 2003 12:09
An: snort-users () sourceforge net
Betreff: [Snort-users] Snort Inline - ip_queue dies


hi,

i installed snort inline 1.9.0beta2
1.9.1 wouldn´t compile at the moment.
ip_queue is a module started with the iptables script

snort inline is working well, but sometimes i get the syslog
"snolin kernel: ip_queue: peer 6329 died, resetting state

and flushing

queue"
after this message the snort daemon doesn´t exist anymore.

thx for help
jo



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Robert Minor
____________________________________
http://www.cybermill.com
Development, Hosting, Colocation on a multihomed DS3.

It takes a big man to allow himself to cry. . .
it takes a bigger man to laugh at that guy.



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: