[Snort-devel] SNORT OPSEC plugin patch

Nils Ulltveit-Moe num at ...139...
Fri Oct 12 02:10:11 EDT 2001


I have done some testing of the SNORT OPSEC plugin on Linux, and have
patched it to work better on Debian. The patch concerns mainly
configure.in. I compile it using:

./configure --prefix=/home/num/snort --enable-opsec --enable-debug \
--with-libsslcrypto-libraries=../ssl_stng/static \
--with-libopsec-libraries=../linux22/lib/linux22/static \
--with-libopsec-includes=../linux22/include/opsec --with-openssl=no

The patch is attached. 

In the patch I fixed a conflict between Openssl (needed by IDMEF) and
Checkpoints ssl (needed by opsec) The autoconf setup needs patching for this. 
Also changed configure.in to get shared libraries set up right.

Also fixed a bug i nspo_opsec.c which was caused when the sam client
action fails. The string msg_copy was freed twice. In addition the
internal static buffer used by  inet_ntoa is attempted freed in the variable

NOTE: I did not manage to make the Linux Opsec client work towards a Windows
FW-1 server. (remotely). fw sam command worked on Windows however. 

I also tried to get the local SAM interface on a Linux FW-1 server
working, but compiling the SAM example program did not work AND
running the internal FW-1 function fw sam did not work (hung). Since
fw sam works on the Windows version, this may indicate
that the SAM libraries on Linux are broken. (If the SAM libraries are broken,
then the Linux version of fw sam would be broken too.)

When I run the plugin, I get the error message "unexpected status 12".
My conclusion so far is that the best option to get the opsec plugin
working is to use Solaris and have the SNORT with Opsec locally on the 
FW-1 machine to make it work. Do you have any experience with SNORT on 
intel architecture? (I do have some old SPARC boxes I can use too.)

NOTE: Please tell me if you have better experience with getting the
Linux version of the OPSEC plugin up and running.

Anyway, I hope the patch will be useful!

Mit freundlichem grüssen,
Nils Ulltveit-Moe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-opsec-plugin-1.8.1-linux-patch
Type: application/octet-stream
Size: 8865 bytes
Desc: SNORT OPSEC patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20011012/8714fe18/attachment.obj>

More information about the Snort-devel mailing list