Snort mailing list archives
2.8.4 to 2.8.5 wild ride
From: "John York" <YorkJ () brcc edu>
Date: Fri, 25 Sep 2009 16:06:07 -0400
Hi I'm running on Ubuntu 8.04LTS, Snort compiled from source, with pulledpork fixing up the SO rules for me. Snort 2.8.4 with CURRENT rules was working fine. I know you're only supposed run CURRENT if you use the CVS current version of Snort, but what the hey? It was working. After the upgrade to 2.8.5, PulledPork ran Snort to set up the so rules and got this error: ERROR: /usr/local/etc/snort/snort.conf(190) Config option "detection" can only be configured once. Fatal Error, Quitting.. @$%#@!!! Busted. Guess I'll have to go to the 2.8 rules. (It turned out the error was caused by these lines from my old 2.8.4 snort.conf. Went back to 2.8 rules anyway) config detection: search-method ac-bnfa config detection: max_queue_events 5 So, changed PulledPork to point to 2.8 rules, took the 2.8.5 snort.conf and moved all my stuff into it. I was amazed at how much difference there was between the current and 2.8.5 snort.conf files--lots more stuff in the current version. The next time Snort ran, it had segmentation faults. That turned out to happen any time any one of these lines appeared in snort.conf (moved over from the CURRENT config, thinking they were necessary for the SO rules): dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so OK, "Do not meddle in the affairs of wizards, for they are subtle and quick to anger." Comment all those out, hope the so rules still run. Woohoo! Snort runs! After 3 hours, Ruh Roh. Snort's been pretty busy: Rule Hits 3:13287:3 2,861,181 3:8092:3 1,191,487 3:13307:1 993,864 3:8351:4 521,964 3:15450:2 226,397 3:13825:2 1,626 3:13827:2 1,626 SO rules are running all right--never saw anything near this number of hits, though. Ouch. At the moment I'm trying to decide whether to comment out those rules, give CURRENT another try with the 2.8.5 CURRENT config file, or punt. John York Network Engineer Blue Ridge Community College 1 College Lane, Weyers Cave, VA ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.8.4 to 2.8.5 wild ride John York (Sep 25)
- Re: 2.8.4 to 2.8.5 wild ride Ryan Jordan (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride John York (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride John York (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride John York (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride Joel Esler (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride John York (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride Ryan Jordan (Sep 28)