Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 2.8.4 to 2.8.5 wild ride

From: "John York" <YorkJ () brcc edu>
Date: Mon, 28 Sep 2009 13:20:11 -0400
Found it!!  The PulledPork subroutine copysorules is coded to use this
path:

$temp_path/tha_rules/so_rules/precompiled/$Distro/i386/$Snort/

For Ubuntu 8.04, there is only an x86-64 version and i386 doesn't exist.
It looks like RHEL-5.0 is the same way.  CentOS-5.0 and FC-9 have both.

I've just changed the i386 to x86-64 in mine.  The next version of
PulledPork is going to need a processor variable that gets set in the
.conf file

Thanks
John

-----Original Message-----
From: John York 
Sent: Monday, September 28, 2009 11:52 AM
To: Ryan Jordan
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride

Thanks Ryan.

Changing the detection line to this worked:
"config detection: search-method ac-bnfa max_queue_events 5"

The seg fault problem appears to be related my use of pulledpork. The
.so rules were never making it to /usr/local/lib/snortdynamicrules.
What I had in there dated back to 6/16/09.  I manually copied the new
precompiled rules, and everything ran.  I'm looking for my problem with
pulledpork at the moment, and will send an update when I find it.

Thanks
John


-----Original Message-----
From: Ryan Jordan [mailto:ryan.jordan () sourcefire com]
Sent: Monday, September 28, 2009 10:09 AM
To: John York
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 2.8.4 to 2.8.5 wild ride

Allow me to explain a couple things... comments inline.


On Fri, Sep 25, 2009 at 4:06 PM, John York <YorkJ () brcc edu> wrote:


        Hi
        
        I'm running on Ubuntu 8.04LTS, Snort compiled from source, with
        pulledpork fixing up the SO rules for me.  Snort 2.8.4 with
CURRENT
        rules was working fine.  I know you're only supposed run CURRENT
if you
        use the CVS current version of Snort, but what the hey?  It was
working.
        
        After the upgrade to 2.8.5, PulledPork ran Snort to set up the
so rules
        and got this error:
        ERROR: /usr/local/etc/snort/snort.conf(190) Config option
"detection"
        can only be configured once.
        Fatal Error, Quitting.. 


        @$%#@!!!  Busted.  Guess I'll have to go to the 2.8 rules.
        
        (It turned out the error was caused by these lines from my old
2.8.4
        snort.conf.  Went back to 2.8 rules anyway) config detection:
        search-method ac-bnfa config detection: max_queue_events 5
        


It would have sufficed to just combine those two into one "detection"
line.
"config detection: search-method ac-bnfa max_queue_events 5".

Like they say, hindsight is 20/20.



        So, changed PulledPork to point to 2.8 rules, took the 2.8.5
snort.conf
        and moved all my stuff into it.  I was amazed at how much
difference
        there was between the current and 2.8.5 snort.conf files--lots
more
        stuff in the current version.
        
        The next time Snort ran, it had segmentation faults.  That
turned out to
        happen any time any one of these lines appeared in snort.conf
(moved
        over from the CURRENT config, thinking they were necessary for
the SO
        rules):
        
        dynamicpreprocessor file
        /usr/local/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
        dynamicpreprocessor file
        /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
        dynamicpreprocessor file
        
/usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
        dynamicpreprocessor file
        /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
        dynamicpreprocessor file
        /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
        dynamicpreprocessor file
        /usr/local/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
        
        OK, "Do not meddle in the affairs of wizards, for they are
subtle and
        quick to anger."  Comment all those out, hope the so rules still
run.
        


Snort ships with .so files that contain the dynamic preprocessors. When
you install a new version of Snort, you need to make sure you install
the new versions of these files! Running a new Snort with old .so files
will cause segmentation faults.

Typically, this is handled by "make install", but if you used a new
directory for 2.8.5 then you need to make sure your snort.conf contains
the correct path.

I'm surprised that Snort ran after you commented out those lines. I
guess you didn't try to configure any of the dynamic preprocessors, or
else you would have been met with another error message. 



        Woohoo!  Snort runs!
        
        After 3 hours, Ruh Roh.  Snort's been pretty busy:
        Rule            Hits
        3:13287:3       2,861,181
        3:8092:3        1,191,487
        3:13307:1       993,864
        3:8351:4        521,964
        3:15450:2       226,397
        3:13825:2       1,626
        3:13827:2       1,626
        SO rules are running all right--never saw anything near this
number of
        hits, though.  Ouch.  At the moment I'm trying to decide whether
to
        comment out those rules, give CURRENT another try with the 2.8.5
CURRENT
        config file, or punt.
        



        John York
        Network Engineer
        Blue Ridge Community College
        1 College Lane, Weyers Cave, VA
        
        
        
        
------------------------------------------------------------------------
------
        Come build with us! The BlackBerry&reg; Developer Conference in
SF, CA
        is the only developer event you need to attend this year.
Jumpstart your
        developing skills, take BlackBerry mobile applications to market
and stay
        ahead of the curve. Join us from November 9&#45;12, 2009.
Register now&#33;
        http://p.sf.net/sfu/devconf
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>
list archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users
        





------------------------------------------------------------------------------
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: