Snort mailing list archives

Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0

From: Joel Esler <jesler () sourcefire com>
Date: Sat, 5 Nov 2011 17:30:48 -0400

Did you read doc/INSTALL and the notes related to Open BSD and loading the correct preprocessor libraries? The .so's 
don't get created the same way they do on linux and there are notes related to that.

We haven't tested Snort 2.9.x on OpenBSD 5.0, as that just released earlier this week (Nov 1).  Official testing on 
2.9.1 was on OpenBSD 4.8 and 2.9.2 is on OpenBSD 4.9.

J

On Nov 5, 2011, at 4:35 PM, carlopmart wrote:

Hi all,

I am trying to install snort 2.9.1.2 under an OpenBSD 5.0 server, but exists several problems. First, during 
compilation, console display a lot of errors, but the most common is:

*** Warning: This system can not link to static lib archive /opt/soft/daq/lib/libdaq_static.la.
*** I have the capability to make that library automatically link in when
*** you link to this library.  But I can only do this if you have a
*** shared version of the library, which you do not appear to have.
*** But as you try to build a module library, libtool will still create
*** a static module, that should work as long as the dlopening application
*** is linked with the -dlopen flag to resolve symbols at runtime.

.. adn others like this on every preprocessor:

In file included from ../include/sf_ip.h:36,
                from ../include/sfPolicy.h:24,
                from ../include/sfPolicyUserData.c:27:
/usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list
/usr/include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what 
you want
/usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list

After that, and trying a minimal configuration, some preprocessors are disabled due to problems with the compilation 
process:


snort[15646]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(64) Unknown preprocessor: "ftp_telnet".

snort[8522]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(140) Unknown preprocessor: "smtp".

snort[23671]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(148) Unknown preprocessor: "ssh".

snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "ssl".

snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "dcerpc2"

... and others like dns preprocessor, too ...

After disabling all these preprocessors, and all rules associated, it seems that all works (only with 10 rules):

Nov  5 20:32:40 eorlingas snort[31702]: Rule application order: 
activation->dynamic->pass->drop->sdrop->reject->alert->log
Nov  5 20:32:40 eorlingas snort[31702]: Verifying Preprocessor Configurations!
Nov  5 20:32:40 eorlingas snort[31702]: ICMP tracking disabled, no ICMP sessions allocated
Nov  5 20:32:40 eorlingas snort[31702]:
Nov  5 20:32:40 eorlingas snort[31702]: [ Port Based Pattern Matching Memory ]
Nov  5 20:32:40 eorlingas snort[31702]: +- [ Aho-Corasick Summary ] -------------------------------------
Nov  5 20:32:40 eorlingas snort[31702]: | Storage Format    : Full-Q
Nov  5 20:32:40 eorlingas snort[31702]: | Finite Automaton  : DFA
Nov  5 20:32:40 eorlingas snort[31702]: | Alphabet Size     : 256 Chars
Nov  5 20:32:40 eorlingas snort[31702]: | Sizeof State      : Variable (1,2,4 bytes)
Nov  5 20:32:40 eorlingas snort[31702]: | Instances         : 6
Nov  5 20:32:40 eorlingas snort[31702]: |     1 byte states : 6
Nov  5 20:32:40 eorlingas snort[31702]: |     2 byte states : 0
Nov  5 20:32:40 eorlingas snort[31702]: |     4 byte states : 0
Nov  5 20:32:40 eorlingas snort[31702]: | Characters        : 239
Nov  5 20:32:40 eorlingas snort[31702]: | States            : 223
Nov  5 20:32:40 eorlingas snort[31702]: | Transitions       : 1022
Nov  5 20:32:40 eorlingas snort[31702]: | State Density     : 1.8%
Nov  5 20:32:40 eorlingas snort[31702]: | Patterns          : 15
Nov  5 20:32:40 eorlingas snort[31702]: | Match States      : 14
Nov  5 20:32:40 eorlingas snort[31702]: | Memory (KB)       : 71.27
Nov  5 20:32:40 eorlingas snort[31702]: |   Pattern         : 1.17
Nov  5 20:32:40 eorlingas snort[31702]: |   Match Lists     : 1.66
Nov  5 20:32:40 eorlingas snort[31702]: |   DFA
Nov  5 20:32:40 eorlingas snort[31702]: |     1 byte states : 57.06
Nov  5 20:32:40 eorlingas snort[31702]: |     2 byte states : 0.00
Nov  5 20:32:40 eorlingas snort[31702]: |     4 byte states : 0.00
Nov  5 20:32:40 eorlingas snort[31702]: +----------------------------------------------------------------
Nov  5 20:32:40 eorlingas snort[31702]: [ Number of patterns truncated to 20 bytes: 3 ]
Nov  5 20:32:40 eorlingas snort[31702]:
Nov  5 20:32:40 eorlingas snort[31702]: Packet Performance Monitor Config:
Nov  5 20:32:40 eorlingas snort[31702]:   ticks per usec  : 2217 ticks
Nov  5 20:32:40 eorlingas snort[31702]:   max packet time : 10000 usecs
Nov  5 20:32:40 eorlingas snort[31702]:   packet action   :
Nov  5 20:32:40 eorlingas snort[31702]: fastpath-expensive-packets
Nov  5 20:32:40 eorlingas snort[31702]:   packet logging  : log
Nov  5 20:32:40 eorlingas snort[31702]:   debug-pkts      : disabled
Nov  5 20:32:40 eorlingas snort[31702]: pcap DAQ configured to passive.
Nov  5 20:32:40 eorlingas snort[31702]: Acquiring network traffic from "em9".
Nov  5 20:32:40 eorlingas snort[31702]: Initializing daemon mode
Nov  5 20:32:40 eorlingas snort[29023]: Daemon initialized, signaled parent pid: 31702
Nov  5 20:32:40 eorlingas snort[29023]: Reload thread starting...
Nov  5 20:32:40 eorlingas snort[29023]: Reload thread started, thread 0x87cd8800 (29023)
Nov  5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Starting...
Nov  5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Started, thread 0x8929cc00 (29023)
Nov  5 20:32:40 eorlingas snort[29023]: Decoding Ethernet
Nov  5 20:32:40 eorlingas snort[29023]: Checking PID path...
Nov  5 20:32:40 eorlingas snort[29023]: PID path stat checked out ok, PID path set to /var/run/
Nov  5 20:32:40 eorlingas snort[29023]: Writing PID "29023" to file "/var/run//snort_em9.pid"



Nov  5 20:32:48 eorlingas snort[29023]:
Nov  5 20:32:48 eorlingas snort[29023]:         --== Initialization Complete ==--
Nov  5 20:32:48 eorlingas snort[29023]: Commencing packet processing (pid=29023)

.. But it is really hard to work with these few preprocessors ... What snort version works well with OpenBSD??

Thanks.


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

-- 
To post to this group, send email to snortusers () googlegroups com


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Several problems with snort 2.9.1.2 under OpenBSD 5.0 carlopmart (Nov 05)
- Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0 Joel Esler (Nov 05)
- Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0 Joel Esler (Nov 05)
  - Re: Several problems with snort 2.9.1.2 under OpenBSD 5.0 Randal T. Rioux (Nov 05)