Re: 2.8.4 to 2.8.5 wild ride

[Ryan Jordan <ryan.jordan () sourcefire com>]

Allow me to explain a couple things... comments inline.

On Fri, Sep 25, 2009 at 4:06 PM, John York <YorkJ () brcc edu> wrote:

> Hi
>
> I'm running on Ubuntu 8.04LTS, Snort compiled from source, with
> pulledpork fixing up the SO rules for me.  Snort 2.8.4 with CURRENT
> rules was working fine.  I know you're only supposed run CURRENT if you
> use the CVS current version of Snort, but what the hey?  It was working.
>
> After the upgrade to 2.8.5, PulledPork ran Snort to set up the so rules
> and got this error:
> ERROR: /usr/local/etc/snort/snort.conf(190) Config option "detection"
> can only be configured once.
> Fatal Error, Quitting..


> @$%#@!!!  Busted.  Guess I'll have to go to the 2.8 rules.
>
> (It turned out the error was caused by these lines from my old 2.8.4
> snort.conf.  Went back to 2.8 rules anyway) config detection:
> search-method ac-bnfa config detection: max_queue_events 5

It would have sufficed to just combine those two into one "detection" line.
"config detection: search-method ac-bnfa max_queue_events 5".

Like they say, hindsight is 20/20.

> So, changed PulledPork to point to 2.8 rules, took the 2.8.5 snort.conf
> and moved all my stuff into it.  I was amazed at how much difference
> there was between the current and 2.8.5 snort.conf files--lots more
> stuff in the current version.
>
> The next time Snort ran, it had segmentation faults.  That turned out to
> happen any time any one of these lines appeared in snort.conf (moved
> over from the CURRENT config, thinking they were necessary for the SO
> rules):
>
> dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
> dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
> dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
> dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
> dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
> dynamicpreprocessor file
> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
>
> OK, "Do not meddle in the affairs of wizards, for they are subtle and
> quick to anger."  Comment all those out, hope the so rules still run.

Snort ships with .so files that contain the dynamic preprocessors. When you
install a new version of Snort, you need to make sure you install the new
versions of these files! Running a new Snort with old .so files will cause
segmentation faults.

Typically, this is handled by "make install", but if you used a new
directory for 2.8.5 then you need to make sure your snort.conf contains the
correct path.

I'm surprised that Snort ran after you commented out those lines. I guess
you didn't try to configure any of the dynamic preprocessors, or else you
would have been met with another error message.

> Woohoo!  Snort runs!
>
> After 3 hours, Ruh Roh.  Snort's been pretty busy:
> Rule            Hits
> 3:13287:3       2,861,181
> 3:8092:3        1,191,487
> 3:13307:1       993,864
> 3:8351:4        521,964
> 3:15450:2       226,397
> 3:13825:2       1,626
> 3:13827:2       1,626
> SO rules are running all right--never saw anything near this number of
> hits, though.  Ouch.  At the moment I'm trying to decide whether to
> comment out those rules, give CURRENT another try with the 2.8.5 CURRENT
> config file, or punt.

> John York
> Network Engineer
> Blue Ridge Community College
> 1 College Lane, Weyers Cave, VA
>
>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users