Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort on Leopard 10.5.4...getting there

From: James Lay <jlay () slave-tothe-box net>
Date: Sat, 13 Sep 2008 12:26:07 -0600



On 9/13/08 10:59 AM, "Martin Roesch" <mroesch () sourcefire com> wrote:


What's the command line and snort.conf file you're using with Snort
when it errors out?  If you look in the BUGS file that comes with the
source distro you'll see all the info we need and where to send it to
diagnose your problem.

Marty

On Sat, Sep 13, 2008 at 9:56 AM, James Lay <jlay () slave-tothe-box net> wrote:

So I've got snort 2.8.3 running right now on Leo 10.5.4 (YaY).  Dynamic
preprocessors tank with a Bus Error however.  Who do I send the crash log
to?  Also, does anyone have a good plist startup file for snort on OS X?
 Everything works but the filter option (example:  "ip and not host bleh")
doesn't seem to get passed correctly to snort:

Sep  9 19:51:30 slave-tothe-box snort[346]: FATAL ERROR: OpenPcap() FSM
compilation failed: \n        illegal token: "\nPCAP command: "ip and not
port 21746"

Of course, running command line it works just fine (have I mentioned how
much I loathe launchd?).

Danke folks

James


The command line is:

/usr/snort/bin/snort -i ppp0 -D -u nobody -g nobody  -o -c
/usr/snort/etc/snort/snort.conf -l /usr/snort/var/log  "ip and not port
21746"

I used Lingon to create a .plist file and after removing the ""'s from the
filter it works now.  This changed from:

         <string>/usr/snort/var/log</string>
        <string>"ip</string>
        <string>and</string>
        <string>not</string>
        <string>port</string>
        <string>21746"</string>
    </array>

To

        <string>ip and not port 21746</string>
    </array>

This works fine now.

As for the snort.conf, I had to comment out all the dynamic preprocessor
jazz to get it to run without a Bus Error:

#dynamicpreprocessor directory /usr/snort/lib/snort_dynamicpreprocessor/
#dynamicengine /usr/snort/lib/snort_dynamicengine/libsf_engine.dylib
#dynamicdetection directory /usr/snort/lib/snort_dynamicrule/

and the dns, smtp, dce, and telnet/ftp dynamic preprocessors.  Once that was
done it came up with no error.  I'll look through the BUGS and send along,
but here's some of the info from the crash file:

Process:         snort [72780]
Path:            /usr/snort/bin/snort
Identifier:      snort
Version:         ??? (???)
Code Type:       PPC (Native)
Parent Process:  bash [71934]

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   ???                               0000000000 0 + 0
1   libsf_ssl_preproc.0.0.0.dylib     0x022c27d0 InitializePreprocessor +
432
2   snort                             0x0004d194
InitDynamicPreprocessorPlugins + 84
3   snort                             0x0004d50c InitDynamicPreprocessors +
588
4   snort                             0x0001da84 SnortMain + 2276
5   snort                             0x000024b4 start + 68
6   ???                               0000000000 0 + 0

Thanks Marty,

James



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: