| Main Archive Page > Month Archives > snort-users archives |
[Snort-users] Several problems with snort 2.9.1.2 under OpenBSD 5.0
From: carlopmart <carlopmart_at_nospam>Date: Sat Nov 05 2011 - 20:35:35 GMT
To: snortusers@googlegroups.com, snort-users@lists.sourceforge.net
Hi all,
I am trying to install snort 2.9.1.2 under an OpenBSD 5.0 server, but
exists several problems. First, during compilation, console display a
lot of errors, but the most common is:
*** Warning: This system can not link to static lib archive
/opt/soft/daq/lib/libdaq_static.la.
*** I have the capability to make that library automatically link in when
*** you link to this library. But I can only do this if you have a
*** shared version of the library, which you do not appear to have.
*** But as you try to build a module library, libtool will still create
*** a static module, that should work as long as the dlopening application
*** is linked with the -dlopen flag to resolve symbols at runtime.
.. adn others like this on every preprocessor:
In file included from ../include/sf_ip.h:36,
from ../include/sfPolicy.h:24,
from ../include/sfPolicyUserData.c:27:
/usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside
parameter list
/usr/include/arpa/inet.h:74: warning: its scope is only this definition
or declaration, which is probably not what you want
/usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside
parameter list
After that, and trying a minimal configuration, some preprocessors are
disabled due to problems with the compilation process:
snort[15646]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(64)
Unknown preprocessor: "ftp_telnet".
snort[8522]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(140)
Unknown preprocessor: "smtp".
snort[23671]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(148)
Unknown preprocessor: "ssh".
snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93)
Unknown preprocessor: "ssl".
snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93)
Unknown preprocessor: "dcerpc2"
... and others like dns preprocessor, too ...
After disabling all these preprocessors, and all rules associated, it
seems that all works (only with 10 rules):
Nov 5 20:32:40 eorlingas snort[31702]: Rule application order:
activation->dynamic->pass->drop->sdrop->reject->alert->log
Nov 5 20:32:40 eorlingas snort[31702]: Verifying Preprocessor
Configurations!
Nov 5 20:32:40 eorlingas snort[31702]: ICMP tracking disabled, no ICMP
sessions allocated
Nov 5 20:32:40 eorlingas snort[31702]:
Nov 5 20:32:40 eorlingas snort[31702]: [ Port Based Pattern Matching
Memory ]
Nov 5 20:32:40 eorlingas snort[31702]: +- [ Aho-Corasick Summary ]
-------------------------------------
Nov 5 20:32:40 eorlingas snort[31702]: | Storage Format : Full-Q
Nov 5 20:32:40 eorlingas snort[31702]: | Finite Automaton : DFA
Nov 5 20:32:40 eorlingas snort[31702]: | Alphabet Size : 256 Chars
Nov 5 20:32:40 eorlingas snort[31702]: | Sizeof State : Variable
(1,2,4 bytes)
Nov 5 20:32:40 eorlingas snort[31702]: | Instances : 6
Nov 5 20:32:40 eorlingas snort[31702]: | 1 byte states : 6
Nov 5 20:32:40 eorlingas snort[31702]: | 2 byte states : 0
Nov 5 20:32:40 eorlingas snort[31702]: | 4 byte states : 0
Nov 5 20:32:40 eorlingas snort[31702]: | Characters : 239
Nov 5 20:32:40 eorlingas snort[31702]: | States : 223
Nov 5 20:32:40 eorlingas snort[31702]: | Transitions : 1022
Nov 5 20:32:40 eorlingas snort[31702]: | State Density : 1.8%
Nov 5 20:32:40 eorlingas snort[31702]: | Patterns : 15
Nov 5 20:32:40 eorlingas snort[31702]: | Match States : 14
Nov 5 20:32:40 eorlingas snort[31702]: | Memory (KB) : 71.27
Nov 5 20:32:40 eorlingas snort[31702]: | Pattern : 1.17
Nov 5 20:32:40 eorlingas snort[31702]: | Match Lists : 1.66
Nov 5 20:32:40 eorlingas snort[31702]: | DFA
Nov 5 20:32:40 eorlingas snort[31702]: | 1 byte states : 57.06
Nov 5 20:32:40 eorlingas snort[31702]: | 2 byte states : 0.00
Nov 5 20:32:40 eorlingas snort[31702]: | 4 byte states : 0.00
Nov 5 20:32:40 eorlingas snort[31702]:
+----------------------------------------------------------------
Nov 5 20:32:40 eorlingas snort[31702]: [ Number of patterns truncated
to 20 bytes: 3 ]
Nov 5 20:32:40 eorlingas snort[31702]:
Nov 5 20:32:40 eorlingas snort[31702]: Packet Performance Monitor Config:
Nov 5 20:32:40 eorlingas snort[31702]: ticks per usec : 2217 ticks
Nov 5 20:32:40 eorlingas snort[31702]: max packet time : 10000 usecs
Nov 5 20:32:40 eorlingas snort[31702]: packet action :
Nov 5 20:32:40 eorlingas snort[31702]: fastpath-expensive-packets
Nov 5 20:32:40 eorlingas snort[31702]: packet logging : log
Nov 5 20:32:40 eorlingas snort[31702]: debug-pkts : disabled
Nov 5 20:32:40 eorlingas snort[31702]: pcap DAQ configured to passive.
Nov 5 20:32:40 eorlingas snort[31702]: Acquiring network traffic from
"em9".
Nov 5 20:32:40 eorlingas snort[31702]: Initializing daemon mode
Nov 5 20:32:40 eorlingas snort[29023]: Daemon initialized, signaled
parent pid: 31702
Nov 5 20:32:40 eorlingas snort[29023]: Reload thread starting...
Nov 5 20:32:40 eorlingas snort[29023]: Reload thread started, thread
0x87cd8800 (29023)
Nov 5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread
Starting...
Nov 5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread
Started, thread 0x8929cc00 (29023)
Nov 5 20:32:40 eorlingas snort[29023]: Decoding Ethernet
Nov 5 20:32:40 eorlingas snort[29023]: Checking PID path...
Nov 5 20:32:40 eorlingas snort[29023]: PID path stat checked out ok,
PID path set to /var/run/
Nov 5 20:32:40 eorlingas snort[29023]: Writing PID "29023" to file
"/var/run//snort_em9.pid"
Nov 5 20:32:48 eorlingas snort[29023]:
Nov 5 20:32:48 eorlingas snort[29023]: --== Initialization
Complete ==--
Nov 5 20:32:48 eorlingas snort[29023]: Commencing packet processing
(pid=29023)
.. But it is really hard to work with these few preprocessors ... What
snort version works well with OpenBSD??
Thanks.
-- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!