Snort mailing list archives

Re: Minor notes snort-3.0.0-a1

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Mon, 15 Dec 2014 22:06:32 +0000

A fix for the 1st issue was pushed to github.  Did you get the 2nd issue resolved?

Thanks
Russ

________________________________
From: Y M [snort () outlook com]
Sent: Saturday, December 13, 2014 9:02 AM
To: Russ Combs (rucombs)
Cc: snort-devel () lists sourceforge net
Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1



________________________________
From: rucombs () cisco com
To: snort () outlook com
CC: snort-devel () lists sourceforge net
Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1
Date: Sat, 13 Dec 2014 12:54:22 +0000


________________________________
From: Y M [snort () outlook com]
Sent: Saturday, December 13, 2014 7:33 AM
To: Russ Combs (rucombs)
Cc: snort-devel () lists sourceforge net
Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1



________________________________
From: rucombs () cisco com
To: snort () outlook com
CC: snort-devel () lists sourceforge net
Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1
Date: Sat, 13 Dec 2014 12:27:52 +0000


________________________________
From: Y M [snort () outlook com]
Sent: Saturday, December 13, 2014 7:22 AM
To: Russ Combs (rucombs)
Cc: snort-devel () lists sourceforge net
Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1


Inline please.
________________________________
From: rucombs () cisco com
To: snort () outlook com; snort-devel () lists sourceforge net
Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1
Date: Sat, 13 Dec 2014 12:02:08 +0000

Thanks for the report.  Comments below.

________________________________
From: Y M [snort () outlook com]
Sent: Saturday, December 13, 2014 4:28 AM
To: snort-devel () lists sourceforge net
Subject: [Snort-devel] Minor notes snort-3.0.0-a1

1. Difference in performance profiling configuration option when building snort with cmake vs. autotools:
    cmake accepts enable-perfprofiling but not enable-perf-profiling
    autotools accepts enable-perf-profiling but not enable-perfprofiling

* We will get cmake updated to match auto tools here.

-- Awesome, thanks.

2. When running snort, a fatal error may be generated:
     FATAL: can't init /usr/local/snort/etc/snort.lua: /usr/local/snort/etc/snort.lua:22: module 'snort_config' not 
found:
no field package.preload['snort_config']
no file './snort_config.lua'
no file '/usr/local/share/luajit-2.0.3/snort_config.lua'
no file '/usr/local/share/lua/5.1/snort_config.lua'
no file '/usr/local/share/lua/5.1/snort_config/init.lua'
no file './snort_config.so'
no file '/usr/local/lib/lua/5.1/snort_config.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
      Fatal Error, Quitting..

    snort_config.lua is not copied to /etc when installing snort. Manually copying snort_config.lua to /etc fixes the 
issue.

* Did you export LUA_PATH to point to the directory where snort_config.lua is installed?  LUA_PATH is for required 
files, i.e. files loaded by LuaJIT automatically, whereas SNORT_LUA_PATH is for Snort configuration include paths.  The 
two are distinct and must be set correctly.

-- Yes:

dev@snortalpha:~$ echo $LUA_PATH
/usr/local/snort/include/snort/lua/?.lua;;
dev@snortalpha:~$ echo $SNORT_LUA_PATH
/usr/local/snort/etc

* So does this exist?

/usr/local/snort/include/snort/lua/snort_config.lua

-- Yes:

dev@snortalpha:~$ ls -l /usr/local/snort/include/snort/lua/
total 8
-rw-r--r-- 1 root root 3041 Dec 12 12:21 snort_config.lua
-rw-r--r-- 1 root root 1531 Dec 12 12:21 snort_plugin.lua

* There is something wrong with setting LUA_PATH in your environment.  If I unset LUA_PATH, I get a FATAL error with a 
similar list of search paths:

FATAL: can't init /Users/rucombs/install/auto/etc/snort/snort.lua: /Users/rucombs/install/auto/etc/snort/snort.lua:22: 
module 'snort_config' not found:
no field package.preload['snort_config']
no file './snort_config.lua'
        ...

If I set LUA_PATH and delete snort_config.lua from that path, then I get a FATAL that includes the LUA_PATH at the top 
of the search list (the first no file):

FATAL: can't init /Users/rucombs/install/auto/etc/snort/snort.lua: /Users/rucombs/install/auto/etc/snort/snort.lua:22: 
module 'snort_config' not found:
no field package.preload['snort_config']
no file '/Users/rucombs/install/auto/include/snort/lua/snort_config.lua'
no file './snort_config.lua'
        ...

Since your output above doesn't show an attempt at your LUA_PATH, it seems as if it is just not set in your execution 
environment.

-- Makes since. I did unset/set LUA_PATH and SNORT_LUA_PATH and added to PATH as well and still no luck. I will have to 
re-look at this.

dev@snortalpha:~$ printenv | grep LUA
SNORT_LUA_PATH=/usr/local/snort/etc
LUA_PATH=/usr/local/snort/include/lua/?.lua;;
dev@snortalpha:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/snort/include/lua/?.lua;;:/usr/local/snort/etc
dev@snortalpha:~$ echo $LUA_PATH
/usr/local/snort/include/lua/?.lua;;
dev@snortalpha:~$ echo $SNORT_LUA_PATH
/usr/local/snort/etc


3. Difference in dump_stats() when running with --shell and dump_stats() after running quit():

* This is a known issue already on the todo list.  Glad to see someone actually tried it.  :)

-- Glad to know its a known issue. Thanks.

    o")~
dump_stats()
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
--------------------------------------------------
Module Statistics
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
           local commands: 12
o")~

o")~
quit()
== stopping
o")~
-- [0] eth0
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 118
                 analyzed: 118
                    allow: 118
                     idle: 2
--------------------------------------------------
codec
                    total: 122         (100.000%)
                 discards: 18           ( 14.754%)
                      arp: 2           (  1.639%)
                      eth: 122         (100.000%)
                    icmp4: 78           ( 63.934%)
                     ipv4: 120         ( 98.361%)
                      tcp: 36           ( 29.508%)
                      udp: 6           (  4.918%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
back_orifice
                  packets: 3
--------------------------------------------------
binder
                  packets: 8
                 inspects: 8
--------------------------------------------------
perf_monitor
                  packets: 100
--------------------------------------------------
port_scan_global
                  packets: 98
--------------------------------------------------
stream
                tcp flows: 4
                udp flows: 3
               icmp flows: 1
--------------------------------------------------
stream_icmp
                  created: 1
                 released: 1
--------------------------------------------------
stream_tcp
                 sessions: 4
                 timeouts: 2
            data trackers: 4
         trackers created: 4
        trackers released: 4
              segs queued: 5
            segs released: 5
          client cleanups: 4
--------------------------------------------------
stream_udp
                 sessions: 3
                  created: 3
                 released: 3
--------------------------------------------------
tcp
       bad checksum (ip4): 15
--------------------------------------------------
udp
       bad checksum (ip4): 3
--------------------------------------------------
Summary Statistics
--------------------------------------------------
detection
                 analyzed: 118
--------------------------------------------------
process
           local commands: 15
--------------------------------------------------
timing
                  runtime: 00:02:49
                  seconds: 169.467279
                  packets: 118
                 pkts/sec: 0
o")~   Snort exiting

Thanks.
Yaser

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Minor notes snort-3.0.0-a1 Y M (Dec 13)
- Re: Minor notes snort-3.0.0-a1 Russ Combs (rucombs) (Dec 13)
  - Re: Minor notes snort-3.0.0-a1 Y M (Dec 13)
    - Re: Minor notes snort-3.0.0-a1 Russ Combs (rucombs) (Dec 13)
    - Re: Minor notes snort-3.0.0-a1 Y M (Dec 13)
    - Re: Minor notes snort-3.0.0-a1 Russ Combs (rucombs) (Dec 13)
    - Re: Minor notes snort-3.0.0-a1 Y M (Dec 13)
    - Re: Minor notes snort-3.0.0-a1 Russ Combs (rucombs) (Dec 15)
    - Re: Minor notes snort-3.0.0-a1 Y M (Dec 15)