2.8.4 to 2.8.5 wild ride

["John York" <YorkJ () brcc edu>]

Hi

I'm running on Ubuntu 8.04LTS, Snort compiled from source, with
pulledpork fixing up the SO rules for me.  Snort 2.8.4 with CURRENT
rules was working fine.  I know you're only supposed run CURRENT if you
use the CVS current version of Snort, but what the hey?  It was working.

After the upgrade to 2.8.5, PulledPork ran Snort to set up the so rules
and got this error:
ERROR: /usr/local/etc/snort/snort.conf(190) Config option "detection"
can only be configured once.
Fatal Error, Quitting..

@$%#@!!!  Busted.  Guess I'll have to go to the 2.8 rules.

(It turned out the error was caused by these lines from my old 2.8.4
snort.conf.  Went back to 2.8 rules anyway) config detection:
search-method ac-bnfa config detection: max_queue_events 5

So, changed PulledPork to point to 2.8 rules, took the 2.8.5 snort.conf
and moved all my stuff into it.  I was amazed at how much difference
there was between the current and 2.8.5 snort.conf files--lots more
stuff in the current version.

The next time Snort ran, it had segmentation faults.  That turned out to
happen any time any one of these lines appeared in snort.conf (moved
over from the CURRENT config, thinking they were necessary for the SO
rules):

dynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
dynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
dynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
dynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
dynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
dynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so

OK, "Do not meddle in the affairs of wizards, for they are subtle and
quick to anger."  Comment all those out, hope the so rules still run.

Woohoo!  Snort runs!

After 3 hours, Ruh Roh.  Snort's been pretty busy:
Rule            Hits
3:13287:3       2,861,181
3:8092:3        1,191,487
3:13307:1       993,864
3:8351:4        521,964
3:15450:2       226,397
3:13825:2       1,626
3:13827:2       1,626
SO rules are running all right--never saw anything near this number of
hits, though.  Ouch.  At the moment I'm trying to decide whether to
comment out those rules, give CURRENT another try with the 2.8.5 CURRENT
config file, or punt.


John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA



------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users