[Snort-devel] SNORT OPSEC plugin patch
num at ...139...
Fri Oct 12 02:10:11 EDT 2001
I have done some testing of the SNORT OPSEC plugin on Linux, and have
patched it to work better on Debian. The patch concerns mainly
configure.in. I compile it using:
./configure --prefix=/home/num/snort --enable-opsec --enable-debug \
The patch is attached.
In the patch I fixed a conflict between Openssl (needed by IDMEF) and
Checkpoints ssl (needed by opsec) The autoconf setup needs patching for this.
Also changed configure.in to get shared libraries set up right.
Also fixed a bug i nspo_opsec.c which was caused when the sam client
action fails. The string msg_copy was freed twice. In addition the
internal static buffer used by inet_ntoa is attempted freed in the variable
NOTE: I did not manage to make the Linux Opsec client work towards a Windows
FW-1 server. (remotely). fw sam command worked on Windows however.
I also tried to get the local SAM interface on a Linux FW-1 server
working, but compiling the SAM example program did not work AND
running the internal FW-1 function fw sam did not work (hung). Since
fw sam works on the Windows version, this may indicate
that the SAM libraries on Linux are broken. (If the SAM libraries are broken,
then the Linux version of fw sam would be broken too.)
When I run the plugin, I get the error message "unexpected status 12".
My conclusion so far is that the best option to get the opsec plugin
working is to use Solaris and have the SNORT with Opsec locally on the
FW-1 machine to make it work. Do you have any experience with SNORT on
intel architecture? (I do have some old SPARC boxes I can use too.)
NOTE: Please tell me if you have better experience with getting the
Linux version of the OPSEC plugin up and running.
Anyway, I hope the patch will be useful!
Mit freundlichem grüssen,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 8865 bytes
Desc: SNORT OPSEC patch
More information about the Snort-devel