Building snort

[Jon Urionaguena <juriona () nesys-st com>]

Hi all,

I am building a high speed IDS system trying to use pfring extensions, 
with libpcap modified. I'm trying to work with unified output format.

Kernel is built ok. New libpcap seems ok too.

When I build snort (downloaded 2.7 and 2.8.1),  I try to make it static 
building against the libpcap.a just generated. All I can see is that the 
resulting binnary does not give any dependence (ldd) against any libpcap.

So I launch it... But the unified file format it generates is wrong 
because it´s full of messages of this kind:

"[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"

Even if we have the option to avoid these messages in snort.conf. I 
guess I get a message for each packet we receive... The logs get 
enormous (50 Mbps link) and without any value.

Any hint?? Any other data I should supply?

On the other side, I have an old snort binnary linked to the modified 
libpcap (that's what ldd says...) that seems to work ok (loads pfring on 
startup and gives normal alerts), but I compiled it before we had the 
pfring change (kernel and new libpcaps)??? It shouldn't work this way.

Building snort is being a strange experience for me, because I get to 
many issues I can not fully understand... The flags I try to pass to 
configure script never seem to do anything... I'm turning crazy.

Thanx in advance,

-- 

Jon 


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users