Re: Building snort

[Jon Urionaguena <juriona () nesys-st com>]

Thanx Todd,

That was all!! I skipped a "config enable" sentence in the config file. 
This happens because of using a sample file and commenting lines...

Anyway, same config file for another snort binnary didn't show up so 
many warnings!! Why could that happen?

The system is a Debian Etch amd64 running on a Dual Core Xeon 1.6 GHz 
(Dell PE2950), 4 GB RAM and an Intel Pro/1000 PT card sniffing all the 
traffic (4 links of 1Gbps spanned (Cisco) to one).

Regards,

Jon

Todd Wease escribió:
> Do you have the following option in your snort.conf:
>
> config enable_decode_oversized_alerts
>
> This should be the option that enables that alert.
>
> Still I'm guessing that something else is wrong.  What kind of OS are
> you running on?
>
> Jon Urionaguena wrote:
>   
> > Thanx Todd,
> >
> > The output I´m using is:
> >
> > output log_unified: filename snort, limit 9000
> >
> > Which, in my system, logs text to an alert file, and binary format to
> > snort.log. Both files are growing too fast. The alert one is the one I
> > can "normally" read (text), that's why I suppose that the origin of this
> > warning is the one that makes snort log every packet in the unified
> > format. I can be in a big mistake... I will change the output and have a
> > look at the logs in a tcpdump format reader (aka wireshark) and give
> > more feedback.
> >
> >     
> > > It should read that the IP datagram length is greater than the pcap
> > >       
> > captured length from the IP header on.
> > We have the option "config disable_decode_alerts" set...
> > Could it be an error with the pf_ring and modified libpcap
> > implementation we are using?
> >
> >     
> > > Are you specifying a snaplen to snort?
> > >       
> > No, I'm not. The thing is that a 2.7 binnary works ok (seems to...) with
> > the same config file and same startup options. That's why I'm supposing
> > that the error is not in the config, but in the binnaries... Maybe a
> > compilation option. Don't know any.
> >
> > Regards,
> >
> > Jon
> >
> > Todd Wease escribió:
> >     
> > > Hello Jon,
> > >
> > > This message is actually wrong:
> > >
> > > "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
> > >
> > > It should read that the IP datagram length is greater than the pcap
> > > captured length from the IP header on.
> > >
> > > Also, you shouldn't see messages like that in a unified file and I'm not
> > > sure any postprocessor would show the data that way.  Sounds like you're
> > > just looking at a text alert file.
> > >
> > > Are you specifying a snaplen to snort?  If so, remove it.  If not, try
> > > logging in tcpdump mode and look at the resulting snort.log.<timestamp>
> > > in Wireshark and see what those packets look like.
> > >
> > > Todd
> > >
> > > Jon Urionaguena wrote:
> > >  
> > >       
> > > > Hi all,
> > > >
> > > > I am building a high speed IDS system trying to use pfring
> > > > extensions, with libpcap modified. I'm trying to work with unified
> > > > output format.
> > > >
> > > > Kernel is built ok. New libpcap seems ok too.
> > > >
> > > > When I build snort (downloaded 2.7 and 2.8.1),  I try to make it
> > > > static building against the libpcap.a just generated. All I can see
> > > > is that the resulting binnary does not give any dependence (ldd)
> > > > against any libpcap.
> > > >
> > > > So I launch it... But the unified file format it generates is wrong
> > > > because it´s full of messages of this kind:
> > > >
> > > > "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
> > > >
> > > > Even if we have the option to avoid these messages in snort.conf. I
> > > > guess I get a message for each packet we receive... The logs get
> > > > enormous (50 Mbps link) and without any value.
> > > >
> > > > Any hint?? Any other data I should supply?
> > > >
> > > > On the other side, I have an old snort binnary linked to the modified
> > > > libpcap (that's what ldd says...) that seems to work ok (loads pfring
> > > > on startup and gives normal alerts), but I compiled it before we had
> > > > the pfring change (kernel and new libpcaps)??? It shouldn't work this
> > > > way.
> > > >
> > > > Building snort is being a strange experience for me, because I get to
> > > > many issues I can not fully understand... The flags I try to pass to
> > > > configure script never seem to do anything... I'm turning crazy.
> > > >
> > > > Thanx in advance,
> > > >
> > > >     
> > > >         
> > >   
> > >       
>
>
>   

-- 

Jon 


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users