Snort mailing list archives
Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0
From: Joel Esler <jesler () sourcefire com>
Date: Sat, 5 Nov 2011 17:30:48 -0400
Did you read doc/INSTALL and the notes related to Open BSD and loading the correct preprocessor libraries? The .so's don't get created the same way they do on linux and there are notes related to that. We haven't tested Snort 2.9.x on OpenBSD 5.0, as that just released earlier this week (Nov 1). Official testing on 2.9.1 was on OpenBSD 4.8 and 2.9.2 is on OpenBSD 4.9. J On Nov 5, 2011, at 4:35 PM, carlopmart wrote:
Hi all, I am trying to install snort 2.9.1.2 under an OpenBSD 5.0 server, but exists several problems. First, during compilation, console display a lot of errors, but the most common is: *** Warning: This system can not link to static lib archive /opt/soft/daq/lib/libdaq_static.la. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** But as you try to build a module library, libtool will still create *** a static module, that should work as long as the dlopening application *** is linked with the -dlopen flag to resolve symbols at runtime. .. adn others like this on every preprocessor: In file included from ../include/sf_ip.h:36, from ../include/sfPolicy.h:24, from ../include/sfPolicyUserData.c:27: /usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list /usr/include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what you want /usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list After that, and trying a minimal configuration, some preprocessors are disabled due to problems with the compilation process: snort[15646]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(64) Unknown preprocessor: "ftp_telnet". snort[8522]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(140) Unknown preprocessor: "smtp". snort[23671]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(148) Unknown preprocessor: "ssh". snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "ssl". snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "dcerpc2" ... and others like dns preprocessor, too ... After disabling all these preprocessors, and all rules associated, it seems that all works (only with 10 rules): Nov 5 20:32:40 eorlingas snort[31702]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log Nov 5 20:32:40 eorlingas snort[31702]: Verifying Preprocessor Configurations! Nov 5 20:32:40 eorlingas snort[31702]: ICMP tracking disabled, no ICMP sessions allocated Nov 5 20:32:40 eorlingas snort[31702]: Nov 5 20:32:40 eorlingas snort[31702]: [ Port Based Pattern Matching Memory ] Nov 5 20:32:40 eorlingas snort[31702]: +- [ Aho-Corasick Summary ] ------------------------------------- Nov 5 20:32:40 eorlingas snort[31702]: | Storage Format : Full-Q Nov 5 20:32:40 eorlingas snort[31702]: | Finite Automaton : DFA Nov 5 20:32:40 eorlingas snort[31702]: | Alphabet Size : 256 Chars Nov 5 20:32:40 eorlingas snort[31702]: | Sizeof State : Variable (1,2,4 bytes) Nov 5 20:32:40 eorlingas snort[31702]: | Instances : 6 Nov 5 20:32:40 eorlingas snort[31702]: | 1 byte states : 6 Nov 5 20:32:40 eorlingas snort[31702]: | 2 byte states : 0 Nov 5 20:32:40 eorlingas snort[31702]: | 4 byte states : 0 Nov 5 20:32:40 eorlingas snort[31702]: | Characters : 239 Nov 5 20:32:40 eorlingas snort[31702]: | States : 223 Nov 5 20:32:40 eorlingas snort[31702]: | Transitions : 1022 Nov 5 20:32:40 eorlingas snort[31702]: | State Density : 1.8% Nov 5 20:32:40 eorlingas snort[31702]: | Patterns : 15 Nov 5 20:32:40 eorlingas snort[31702]: | Match States : 14 Nov 5 20:32:40 eorlingas snort[31702]: | Memory (KB) : 71.27 Nov 5 20:32:40 eorlingas snort[31702]: | Pattern : 1.17 Nov 5 20:32:40 eorlingas snort[31702]: | Match Lists : 1.66 Nov 5 20:32:40 eorlingas snort[31702]: | DFA Nov 5 20:32:40 eorlingas snort[31702]: | 1 byte states : 57.06 Nov 5 20:32:40 eorlingas snort[31702]: | 2 byte states : 0.00 Nov 5 20:32:40 eorlingas snort[31702]: | 4 byte states : 0.00 Nov 5 20:32:40 eorlingas snort[31702]: +---------------------------------------------------------------- Nov 5 20:32:40 eorlingas snort[31702]: [ Number of patterns truncated to 20 bytes: 3 ] Nov 5 20:32:40 eorlingas snort[31702]: Nov 5 20:32:40 eorlingas snort[31702]: Packet Performance Monitor Config: Nov 5 20:32:40 eorlingas snort[31702]: ticks per usec : 2217 ticks Nov 5 20:32:40 eorlingas snort[31702]: max packet time : 10000 usecs Nov 5 20:32:40 eorlingas snort[31702]: packet action : Nov 5 20:32:40 eorlingas snort[31702]: fastpath-expensive-packets Nov 5 20:32:40 eorlingas snort[31702]: packet logging : log Nov 5 20:32:40 eorlingas snort[31702]: debug-pkts : disabled Nov 5 20:32:40 eorlingas snort[31702]: pcap DAQ configured to passive. Nov 5 20:32:40 eorlingas snort[31702]: Acquiring network traffic from "em9". Nov 5 20:32:40 eorlingas snort[31702]: Initializing daemon mode Nov 5 20:32:40 eorlingas snort[29023]: Daemon initialized, signaled parent pid: 31702 Nov 5 20:32:40 eorlingas snort[29023]: Reload thread starting... Nov 5 20:32:40 eorlingas snort[29023]: Reload thread started, thread 0x87cd8800 (29023) Nov 5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Starting... Nov 5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Started, thread 0x8929cc00 (29023) Nov 5 20:32:40 eorlingas snort[29023]: Decoding Ethernet Nov 5 20:32:40 eorlingas snort[29023]: Checking PID path... Nov 5 20:32:40 eorlingas snort[29023]: PID path stat checked out ok, PID path set to /var/run/ Nov 5 20:32:40 eorlingas snort[29023]: Writing PID "29023" to file "/var/run//snort_em9.pid" Nov 5 20:32:48 eorlingas snort[29023]: Nov 5 20:32:48 eorlingas snort[29023]: --== Initialization Complete ==-- Nov 5 20:32:48 eorlingas snort[29023]: Commencing packet processing (pid=29023) .. But it is really hard to work with these few preprocessors ... What snort version works well with OpenBSD?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com -- To post to this group, send email to snortusers () googlegroups com Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Several problems with snort 2.9.1.2 under OpenBSD 5.0 carlopmart (Nov 05)
- Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0 Joel Esler (Nov 05)
- Re: [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0 Joel Esler (Nov 05)
- Re: Several problems with snort 2.9.1.2 under OpenBSD 5.0 Randal T. Rioux (Nov 05)