Snort mailing list archives
Re: 2.8.4 to 2.8.5 wild ride
From: "John York" <YorkJ () brcc edu>
Date: Mon, 28 Sep 2009 13:20:11 -0400
Found it!! The PulledPork subroutine copysorules is coded to use this path: $temp_path/tha_rules/so_rules/precompiled/$Distro/i386/$Snort/ For Ubuntu 8.04, there is only an x86-64 version and i386 doesn't exist. It looks like RHEL-5.0 is the same way. CentOS-5.0 and FC-9 have both. I've just changed the i386 to x86-64 in mine. The next version of PulledPork is going to need a processor variable that gets set in the .conf file Thanks John -----Original Message----- From: John York Sent: Monday, September 28, 2009 11:52 AM To: Ryan Jordan Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride Thanks Ryan. Changing the detection line to this worked: "config detection: search-method ac-bnfa max_queue_events 5" The seg fault problem appears to be related my use of pulledpork. The .so rules were never making it to /usr/local/lib/snortdynamicrules. What I had in there dated back to 6/16/09. I manually copied the new precompiled rules, and everything ran. I'm looking for my problem with pulledpork at the moment, and will send an update when I find it. Thanks John -----Original Message----- From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] Sent: Monday, September 28, 2009 10:09 AM To: John York Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride Allow me to explain a couple things... comments inline. On Fri, Sep 25, 2009 at 4:06 PM, John York <YorkJ () brcc edu> wrote: Hi I'm running on Ubuntu 8.04LTS, Snort compiled from source, with pulledpork fixing up the SO rules for me. Snort 2.8.4 with CURRENT rules was working fine. I know you're only supposed run CURRENT if you use the CVS current version of Snort, but what the hey? It was working. After the upgrade to 2.8.5, PulledPork ran Snort to set up the so rules and got this error: ERROR: /usr/local/etc/snort/snort.conf(190) Config option "detection" can only be configured once. Fatal Error, Quitting.. @$%#@!!! Busted. Guess I'll have to go to the 2.8 rules. (It turned out the error was caused by these lines from my old 2.8.4 snort.conf. Went back to 2.8 rules anyway) config detection: search-method ac-bnfa config detection: max_queue_events 5 It would have sufficed to just combine those two into one "detection" line. "config detection: search-method ac-bnfa max_queue_events 5". Like they say, hindsight is 20/20. So, changed PulledPork to point to 2.8 rules, took the 2.8.5 snort.conf and moved all my stuff into it. I was amazed at how much difference there was between the current and 2.8.5 snort.conf files--lots more stuff in the current version. The next time Snort ran, it had segmentation faults. That turned out to happen any time any one of these lines appeared in snort.conf (moved over from the CURRENT config, thinking they were necessary for the SO rules): dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so OK, "Do not meddle in the affairs of wizards, for they are subtle and quick to anger." Comment all those out, hope the so rules still run. Snort ships with .so files that contain the dynamic preprocessors. When you install a new version of Snort, you need to make sure you install the new versions of these files! Running a new Snort with old .so files will cause segmentation faults. Typically, this is handled by "make install", but if you used a new directory for 2.8.5 then you need to make sure your snort.conf contains the correct path. I'm surprised that Snort ran after you commented out those lines. I guess you didn't try to configure any of the dynamic preprocessors, or else you would have been met with another error message. Woohoo! Snort runs! After 3 hours, Ruh Roh. Snort's been pretty busy: Rule Hits 3:13287:3 2,861,181 3:8092:3 1,191,487 3:13307:1 993,864 3:8351:4 521,964 3:15450:2 226,397 3:13825:2 1,626 3:13827:2 1,626 SO rules are running all right--never saw anything near this number of hits, though. Ouch. At the moment I'm trying to decide whether to comment out those rules, give CURRENT another try with the 2.8.5 CURRENT config file, or punt. John York Network Engineer Blue Ridge Community College 1 College Lane, Weyers Cave, VA ------------------------------------------------------------------------ ------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users <https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users> list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 2.8.4 to 2.8.5 wild ride John York (Sep 25)
- Re: 2.8.4 to 2.8.5 wild ride Ryan Jordan (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride John York (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride John York (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride John York (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride Joel Esler (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride John York (Sep 28)
- Re: 2.8.4 to 2.8.5 wild ride Ryan Jordan (Sep 28)