Snort mailing list archives

Re: daq/snort 2.9.0 on Solaris sparc ?

From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 6 Oct 2010 15:03:06 -0400

On Wed, Oct 6, 2010 at 1:24 PM, Luis <luis.mlists () gmail com> wrote:


howdy,

two questions about snort 2.9.0 on sparc.


one on daq and another on an odd behavior of http_inspect and ftp_telnet
configuration..

the first,  about daq 0.2 compilation  was about some errors like the
following (see email thread below for complete list).



In file included from sf_gencode.c:87:
sll.h:86: error: syntax error before "u_int16_t"
sll.h:86: warning: no semicolon at end of struct or union
sll.h:87: warning: type defaults to `int' in declaration of `sll_hatype'
sll.h:87: error: ISO C forbids data definition with no type or storage
class


Was finally able to compile by removing the following lines in sfbpf/sll.h

$ diff sll.h sll.h.orig
82,83c82,93
< #define SLL_HDR_LEN 16          /* total header length */
< #define SLL_ADDRLEN 8           /* length of address field */
---

#define SLL_HDR_LEN    16          /* total header length */
#define SLL_ADDRLEN    8           /* length of address field */

struct sll_header
{
    u_int16_t sll_pkttype;      /* packet type */
    u_int16_t sll_hatype;       /* link-layer address type */
    u_int16_t sll_halen;        /* link-layer address length */
    u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
    u_int16_t sll_protocol;     /* protocol */
};


Thanks for reporting this.  We'll look into it.


2nd question.  Are the http_inspect and ftp_telnet preprocesors related in
any way?    It seems that the configuration parsing may be mixing them up?
(or it may just be my configuration?).


No - at least the shouldn't be.  It sounds like maybe you have an old ftp so
registering as http?  Definitely weird.  Did you uninstall the old dynamic
preprocessors first?  Have you tried changing the order of preprocessor
configs in your conf (http, ftp and then ftp, http)?


When I enable ftp_telnet global, with the following on the conf file:

       preprocessor ftp_telnet: global inspection_type stateful
check_encrypted encrypted_traffic no


 I get the following error:

ERROR: snort.conf(236) => Stateful HttpInspect processing is not yet
available.  Please use stateless processing for now.
Fatal Error, Quitting..


why would the ftp_telnet configuration error with  'HttpInspect' .

if I set the ftp_telnet inspection to stateless, I get the following error:

ERROR: snort.conf(238) => Global configuration must contain an IIS Unicode
Map configuration.  Use token 'iis_unicode_map'.
Fatal Error, Quitting..



Once again this error seems to be from http_inspect (as that directive is
set in that preproc)

If I completely remove (comment out) all ftp_telnet lines (global, server
and protocol), then snort starts up fine..


am I missing something here?


here's my snort version:
$ ../bin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0 IPv6 GRE (Build 68)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.0 18-Dec-2006
           Using ZLIB version: 1.2.3


sections from snort.conf.  (ftp_telnet is commented out, as it is the only
way snort will start)..


...
# HTTP normalization and anomaly detection.  For more information, see
README.http_inspect
preprocessor http_inspect: global \
        iis_unicode_map unicode.map 1252 \
        compress_depth 20480 decompress_depth 20480

preprocessor http_inspect_server: server default \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
        oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    ports { 80 311 591 593 901 1220 1414 2301 2381 2809 3128 3702 7777 7779
8000 8008 8028 8080 8118 8123 8180 8243 828
0 8888 9443 9999 11371 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    apache_whitespace no \
    ascii no \
    bare_byte no \
        directory no \
        double_decode no \
        iis_backslash no \
        iis_delimiter no \
        iis_unicode no \
        multi_slash no \
        non_strict \
        u_encode yes \
        webroot no



...

#preprocessor ftp_telnet: global inspection_type stateful check_encrypted
encrypted_traffic no

#preprocessor ftp_telnet: global inspection_type stateless

#preprocessor ftp_telnet_protocol: telnet \
#    ayt_attack_thresh 20 \
#    normalize ports { 23 } \
#    detect_anomalies
#preprocessor ftp_telnet_protocol: ftp server default \
#    def_max_param_len 100 \
#    ports { 21 2100 3535 } \
#    telnet_cmds yes \
#    ignore_telnet_erase_cmds yes \
#    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
#    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
#    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
#    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
#    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
#    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
#    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
#    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
#    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
#    ftp_cmds { XSEN XSHA1 XSHA256 } \
#    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
REIN STOU SYST XCUP XPWD } \
#    alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
XMKD } \
#    alt_max_param_len 256 { CWD RNTO } \
#    alt_max_param_len 400 { PORT } \
#    alt_max_param_len 512 { SIZE } \
#    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
#    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
#    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
#    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
#    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
#    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
#    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
#    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
#    cmd_validity ALLO < int [ char R int ] > \
#    cmd_validity EPSV < { char 12|string } > \
#    cmd_validity MACB < string > \
#    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
#    cmd_validity MODE < char ASBCZ > \
#    cmd_validity PORT < host_port > \
#    cmd_validity PROT < char CSEP > \
#    cmd_validity STRU < char FRPO [ string ] > \
#    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number
] } >
#preprocessor ftp_telnet_protocol: ftp client default \
#    max_resp_len 256 \
#    bounce yes \
#    ignore_telnet_erase_cmds yes \
#    telnet_cmds yes




Thanks,


Luis






---------- Forwarded message ----------
From: Luis <luis.mlists () gmail com>
 Date: Wed, Oct 6, 2010 at 11:26 AM
Subject: Re: [Snort-users] Fwd: daq/snort 2.9.0 on Solaris sparc ?
To: Joel Esler <jesler () sourcefire com>


Thanks, will try there, sorry for the noise :)




On Wed, Oct 6, 2010 at 11:20 AM, Joel Esler <jesler () sourcefire com> wrote:

The DAQ developers *are* on this list, however, the best bet for these
type of things is snort-devel.

Thanks.

Joel

On Oct 6, 2010, at 11:03 AM, Luis wrote:

sent this yesterday to snort-beta... trying snort-users to see if anyone
has had any luck..
(see below)

Luis

---------- Forwarded message ----------
From: Luis <luis.mlists () gmail com>
Date: Tue, Oct 5, 2010 at 2:05 PM
Subject: daq/snort 2.9.0 on Solaris sparc ?
To: snort-beta () sourcefire com


howdy:

does anyone know if the 2.9.0 snort can be compiled in Solaris (sparc?).

I'm currently stuck trying to compile the daq 0.2.  it errors at the
following:

In file included from sf_gencode.c:87:
sll.h:86: error: syntax error before "u_int16_t"
sll.h:86: warning: no semicolon at end of struct or union
sll.h:87: warning: type defaults to `int' in declaration of `sll_hatype'
sll.h:87: error: ISO C forbids data definition with no type or storage
class
sll.h:88: error: syntax error before "sll_halen"
sll.h:88: warning: type defaults to `int' in declaration of `sll_halen'
sll.h:88: error: ISO C forbids data definition with no type or storage
class
sll.h:89: error: syntax error before "sll_addr"
sll.h:89: warning: type defaults to `int' in declaration of `sll_addr'
sll.h:89: error: ISO C forbids data definition with no type or storage
class
sll.h:90: error: syntax error before "sll_protocol"
sll.h:90: warning: type defaults to `int' in declaration of `sll_protocol'
sll.h:90: error: ISO C forbids data definition with no type or storage
class
sll.h:91: warning: ISO C does not allow extra `;' outside of a function
*** Error code 1


any help would be appreciated.


Thanks


Luis


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.

http://p.sf.net/sfu/beautyoftheweb_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Fwd: daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)
- Re: Fwd: daq/snort 2.9.0 on Solaris sparc ? Joel Esler (Oct 06)
  - Message not available
    - Message not available
    - daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)
    - Re: daq/snort 2.9.0 on Solaris sparc ? Russ Combs (Oct 06)
    - Re: daq/snort 2.9.0 on Solaris sparc ? Steven Sturges (Oct 06)
    - Message not available
    - Fwd: daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)