snort-users May 2008 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Building snort

Re: [Snort-users] Building snort

From: Jon Urionaguena <juriona_at_nospam>
Date: Wed May 14 2008 - 13:12:55 GMT
To: Todd Wease <twease@sourcefire.com>


Thanx Todd,

The output I´m using is:

output log_unified: filename snort, limit 9000

Which, in my system, logs text to an alert file, and binary format to snort.log. Both files are growing too fast. The alert one is the one I can "normally" read (text), that's why I suppose that the origin of this warning is the one that makes snort log every packet in the unified format. I can be in a big mistake... I will change the output and have a look at the logs in a tcpdump format reader (aka wireshark) and give more feedback.

 > It should read that the IP datagram length is greater than the pcap captured length from the IP header on.
We have the option "config disable_decode_alerts" set... Could it be an error with the pf_ring and modified libpcap implementation we are using?

 >Are you specifying a snaplen to snort? No, I'm not. The thing is that a 2.7 binnary works ok (seems to...) with the same config file and same startup options. That's why I'm supposing that the error is not in the config, but in the binnaries... Maybe a compilation option. Don't know any.

Regards,

Jon

Todd Wease escribió:
> Hello Jon,
>
> This message is actually wrong:
>
> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
>
> It should read that the IP datagram length is greater than the pcap
> captured length from the IP header on.
>
> Also, you shouldn't see messages like that in a unified file and I'm not
> sure any postprocessor would show the data that way. Sounds like you're
> just looking at a text alert file.
>
> Are you specifying a snaplen to snort? If so, remove it. If not, try
> logging in tcpdump mode and look at the resulting snort.log.<timestamp>
> in Wireshark and see what those packets look like.
>
> Todd
>
> Jon Urionaguena wrote:
>
>> Hi all,
>>
>> I am building a high speed IDS system trying to use pfring extensions,
>> with libpcap modified. I'm trying to work with unified output format.
>>
>> Kernel is built ok. New libpcap seems ok too.
>>
>> When I build snort (downloaded 2.7 and 2.8.1), I try to make it static
>> building against the libpcap.a just generated. All I can see is that the
>> resulting binnary does not give any dependence (ldd) against any libpcap.
>>
>> So I launch it... But the unified file format it generates is wrong
>> because it´s full of messages of this kind:
>>
>> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
>>
>> Even if we have the option to avoid these messages in snort.conf. I
>> guess I get a message for each packet we receive... The logs get
>> enormous (50 Mbps link) and without any value.
>>
>> Any hint?? Any other data I should supply?
>>
>> On the other side, I have an old snort binnary linked to the modified
>> libpcap (that's what ldd says...) that seems to work ok (loads pfring on
>> startup and gives normal alerts), but I compiled it before we had the
>> pfring change (kernel and new libpcaps)??? It shouldn't work this way.
>>
>> Building snort is being a strange experience for me, because I get to
>> many issues I can not fully understand... The flags I try to pass to
>> configure script never seem to do anything... I'm turning crazy.
>>
>> Thanx in advance,
>>
>>
>
>
>
-- Jon ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users