Snort mailing list archives
Want to run Snort on x86_64 (CentOS 4.2/RHEL4)? Think again :)
From: Vanja Hrustic <vanja () pobox com>
Date: Sun, 20 Nov 2005 17:44:23 +0600
Or at least tell me I am wrong :) Basically, after 2 days of struggling with Snort on CentOS 4.2 (x86_64), running on DL360 G4 server (Xeon 3.0GHz, HT enabled, etc), I realized Snort won't work properly on this system, in 64-bit mode. Ok, it compiles nice, no errors or warnings. Everything seems to be ok. However, when it needs to alert - this is where things to ballistic. Simply, it does not alert on events. Even if you make a very simple rule, to match only 1 simple string ("AUTH123" in my case), you have 12% of chance that it will get caught. At least this was my experience. I can see the traffic with "snort -dv port 25", for example, but when I type string AUTH123 - it mostly doesn't raise any alarms. Then, sometimes, Snort will show alert (coming from 1 direction only, although I've enabled rule to catch all directions). You do the same thing 10 seconds later, and nothing happens. No alerts. After much struggle (adding additional cards to the box, installing different network drivers, reconfiguring switches and ports, and zillion of other configuration changes), I've decided to compile Snort in 32-bit mode. Compiled (all with -m32) libpcap-0.9.4, pcre 6.3, and then Snort. It started, and suddenly alerts started showing up as expected. I saw x86_64 RPMs of Snort at various places, so I assumed (heh, rule No.1 - "Never assume" :) it will work ok in 64-bit mode. However, it did not for me. I am not sure if this problem is specific to CentOS 4.2 (RHEL4), or to all x86_64 distros, but I'd like to hear if anyone is using it in 64-bit mod, on Intel Xeon machine, without problems. Thanks. Vanja ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Want to run Snort on x86_64 (CentOS 4.2/RHEL4)? Think again :) Vanja Hrustic (Nov 20)