[Snort-devel] [ snort-Bugs-478813 ] Red Hat 7.x & Snort 1.8.2 w/ FlexResp

noreply at ...12... noreply at ...12...
Mon Nov 19 18:35:01 EST 2001


Bugs item #478813, was opened at 2001-11-06 11:05
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=478813&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Red Hat 7.x & Snort 1.8.2 w/ FlexResp

Initial Comment:
It seems (after looking through the Snort mailing 
lists, various newsgroups, the forums on snort.org, 
and my personal experience with 1.8.2) that on a Red 
Hat 7.x machine, 1.8.2 won't compile with FlexResp 
enabled.

[root at ...926... snort]# ./configure --enable-flexresp
checking for a BSD compatible 
install... /usr/bin/install -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... yes
checking for working aclocal... missing
checking for working autoconf... missing
checking for working automake... missing
checking for working autoheader... missing
checking for working makeinfo... missing
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for executable suffix... 
checking for object suffix... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking for gcc... (cached) gcc
checking whether we are using the GNU C compiler... 
(cached) yes
checking whether gcc accepts -g... (cached) yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking whether byte ordering is bigendian... no
checking how to run the C preprocessor... gcc -E
checking for strings.h... yes
checking for string.h... yes
checking for stdlib.h... yes
checking for unistd.h... yes
checking for sys/sockio.h... no
checking for paths.h... yes
checking for inet_ntoa in -lnsl... yes
checking for socket in -lsocket... no
checking whether printf must be declared... no
checking whether fprintf must be declared... no
checking whether syslog must be declared... no
checking whether puts must be declared... no
checking whether fputs must be declared... no
checking whether fputc must be declared... no
checking whether fopen must be declared... no
checking whether fclose must be declared... no
checking whether fwrite must be declared... no
checking whether fflush must be declared... no
checking whether getopt must be declared... no
checking whether bzero must be declared... no
checking whether bcopy must be declared... no
checking whether memset must be declared... no
checking whether strtol must be declared... no
checking whether strcasecmp must be declared... no
checking whether strncasecmp must be declared... no
checking whether strerror must be declared... no
checking whether perror must be declared... no
checking whether socket must be declared... no
checking whether sendto must be declared... no
checking whether vsnprintf must be declared... no
checking whether snprintf must be declared... no
checking whether strtoul must be declared... no
checking for snprintf... yes
checking for strlcpy... no
checking for strlcat... no
checking for strerror... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... yes
checking "for libnet.h"... /usr/local/include
checking for u_int8_t... no
checking for u_int16_t... no
checking for u_int32_t... no
checking for a BSD compatible 
install... /usr/bin/install -c
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
[root at ...926... snort]# make
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/include/pcap  -
I/usr/include  -g -O2 -Wall -DENABLE_RESPONSE -
D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -
DHAVE_NET_ETHERNET_H -DLIBNET_LIL_ENDIAN -c snort.c
In file included from /usr/include/netinet/in.h:23,
                 from snort.h:43,
                 from snort.c:45:
/usr/include/stdint.h:49: redefinition of `uint8_t'
/usr/include/sys/types.h:196: `uint8_t' previously 
declared here
/usr/include/stdint.h:50: redefinition of `uint16_t'
/usr/include/sys/types.h:197: `uint16_t' previously 
declared here
/usr/include/stdint.h:52: redefinition of `uint32_t'
/usr/include/sys/types.h:198: `uint32_t' previously 
declared here
make: *** [snort.o] Error 1
[root at ...926... snort]# 

One user reported it being able to be compiled if an 
aclocal and automake were performed, but said that in 
all captured he did afterwards, he never saw flexresp 
packets being sent.


----------------------------------------------------------------------

Comment By: Rob Mann (robmn)
Date: 2001-11-19 09:09

Message:
Logged In: YES 
user_id=380140

Can confirm that it gets the spoofed src and dest ports 
wrong when compiled (or from RPMs) on Debian 2.2rev4, 
Redhat 7.1 and 7.2 though FreeBSD 4.4 works fine.

Snort 1.7 resets work fine on Debian 2.2rev4 and RH7.2

Maybe something introduced in snort 1.8.*?

I'm happy to provide tcpdump's/logs/compile screens etc.

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2001-11-12 09:27

Message:
Logged In: NO 

<possibly useless info>
If you comment out the definitions of uint8_t, uint16_t & 
uint32_t it will compile fine, but you then 
get "SendTCPRST: libnet_write_ipCritical" 's on snort when 
it matches out on a reset rule.  (running under redhat 7.2)

Under Redhat 7.0 it compiles, and the resets are sent but 
with the wrong source and destination ports.  IE for port 
80 reset it actually sends a spoofed packet with src port 
20480.

Have tried both Snort 1.8.1 and 1.8.2, oh and the binary 
rpm's :-(

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2001-11-09 11:18

Message:
Logged In: NO 

Exact same problem on Linux-Mandrake 8.1.


----------------------------------------------------------------------

Comment By: Fyodor Yarochkin (fygrave)
Date: 2001-11-06 21:39

Message:
Logged In: YES 
user_id=60781

can we see the snort.conf rule which the other guy was
using?!
(for this issue we'll have a look into it shorlty)

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=478813&group_id=3357




More information about the Snort-devel mailing list