Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Want to run Snort on x86_64 (CentOS 4.2/RHEL4)? Think again :)

From: Vanja Hrustic <vanja () pobox com>
Date: Sun, 20 Nov 2005 17:44:23 +0600
Or at least tell me I am wrong :)

Basically, after 2 days of struggling with Snort on CentOS 4.2
(x86_64), running on DL360 G4 server (Xeon 3.0GHz, HT enabled, etc), I
realized Snort won't work properly on this system, in 64-bit mode.

Ok, it compiles nice, no errors or warnings. Everything seems to be ok.

However, when it needs to alert - this is where things to ballistic.

Simply, it does not alert on events. Even if you make a very simple
rule, to match only 1 simple string ("AUTH123" in my case), you have
12% of chance that it will get caught. At least this was my experience.

I can see the traffic with "snort -dv port 25", for example, but when I
type string AUTH123 - it mostly doesn't raise any alarms. Then,
sometimes, Snort will show alert (coming from 1 direction only,
although I've enabled rule to catch all directions). You do the same
thing 10 seconds later, and nothing happens. No alerts.

After much struggle (adding additional cards to the box, installing
different network drivers, reconfiguring switches and ports, and
zillion of other configuration changes), I've decided to compile Snort
in 32-bit mode.

Compiled (all with -m32) libpcap-0.9.4, pcre 6.3, and then Snort.

It started, and suddenly alerts started showing up as expected.

I saw x86_64 RPMs of Snort at various places, so I assumed (heh, rule
No.1 - "Never assume" :) it will work ok in 64-bit mode. However, it
did not for me.

I am not sure if this problem is specific to CentOS 4.2 (RHEL4), or to
all x86_64 distros, but I'd like to hear if anyone is using it in
64-bit mod, on Intel Xeon machine, without problems.

Thanks.

Vanja


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: