[Snort-devel] Snort 2.4 Released!

M Raju protocoljunkie at ...2499...
Wed Aug 3 11:35:13 EDT 2005


Hi Marty,
  I think the problem in my case was the sguil stream4 patch. Not sure
why I did it, since I use SANCP anyway for SGUIL. I should have
mentioned this in the first place ..sorry(Doh!). Somehow I ignored the
reject on the last line when I ran the patch for stream4 (ran out of
coffee:-)). I think we are good on using make or gmake.

I will ping Bamm on #snort-gui ...:-)

Cheers,

_Raju

- - - 

# cp spp_stream4.c spp_stream4.c.bak
# cp /usr/local/src/sguil-0.5.3/sensor/snort_mods/2_1/spp_stream4_sguil.patch .
# patch spp_stream4.c < spp_stream4_sguil.patch
Hmm...  Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** spp_stream4.c      Tue Jan 27 11:21:23 2004
|--- spp_stream4.c.sguil        Mon Jun  7 16:27:27 2004
--------------------------
Patching file spp_stream4.c using Plan A...
Hunk #1 succeeded at 72 with fuzz 1 (offset 39 lines).
Hunk #2 succeeded at 119 (offset 39 lines).
Hunk #3 succeeded at 158 (offset 8 lines).
Hunk #4 failed at 212.
Hunk #5 succeeded at 293 with fuzz 2 (offset 71 lines).
Hunk #6 succeeded at 261 (offset -51 lines).
Hunk #7 succeeded at 460 (offset 85 lines).
Hunk #8 succeeded at 380 with fuzz 2 (offset -47 lines).
Hunk #9 succeeded at 1108 with fuzz 1 (offset 121 lines).
Hunk #10 succeeded at 1078 (offset -25 lines).
Hunk #11 succeeded at 3648 (offset 335 lines).
Hunk #12 succeeded at 3322 (offset -25 lines).
Hunk #13 succeeded at 4041 (offset 366 lines).
1 out of 13 hunks failed--saving rejects to spp_stream4.c.rej 
done
# cp spp_portscan.c spp_portscan.c.bak
# cp /usr/local/src/sguil-0.5.3/sensor/snort_mods/2_1/spp_portscan_sguil.patch .
# patch spp_portscan.c < spp_portscan_sguil.patch
Hmm...  Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** spp_portscan.c.orig        Thu Jan  8 15:01:11 2004
|--- spp_portscan.c     Fri Jan  9 09:24:37 2004
--------------------------
Patching file spp_portscan.c using Plan A...
Hunk #1 succeeded at 22.
Hunk #2 succeeded at 241.
Hunk #3 succeeded at 997.
Hunk #4 succeeded at 1250.
Hunk #5 succeeded at 1258.
Hunk #6 succeeded at 1283.
Hunk #7 succeeded at 1376.
Hunk #8 succeeded at 1414.
Hunk #9 succeeded at 1515.
done
#


On 8/3/05, Martin Roesch <roesch at ...402...> wrote:
> Can you try downloading the SNORT_2_4 branch from cvs.snort.org and
> see if you still have the compilation problems?  BTW, I've been using
> gmake to do my builds on OpenBSD lately...
> 
>       -Marty
> 
> On Aug 3, 2005, at 12:58 PM, M. Shirk wrote:
> 
> > Scratch my question (snort.conf conversion from 2.3 to 2.4 was
> > missing community and bleeding snort rules and not your problem and
> > my DFO for Dumb f****** operator) :-)
> >
> > Shirkdog
> > http://www.shirkdog.us
> >
> >
> >
> >
> >> From: "M. Shirk" <shirkdog_list at ...445...>
> >> To: roesch at ...402..., protocoljunkie at ...2499...
> >> CC: snort-devel at lists.sourceforge.net, snort-team at ...402...
> >> Subject: Re: [Snort-devel] Snort 2.4 Released!
> >> Date: Wed, 03 Aug 2005 12:24:25 -0400
> >>
> >> YEAH, I am not the only one. I am on stable OpenBSD 3.7
> >>
> >> I was able to compile but I needed to adjust PATH to include /usr/
> >> local/bin and /usr/local/sbin and I had to get the binary packages
> >> for automake,autoheader,autoconf,aclocal.  I then did a CVS
> >> checkout and ran autojunk.sh (edited to work on OpenBSD with the
> >> bins in /usr/local/bin). Adding --with-libpcre-includes/libraries
> >> to my ./configure, I was able to compile 2.4.
> >>
> >> After seeing this email, I took a tarball I downloaded and I was
> >> able to compile this time( with the changes from above).
> >>
> >> One thing of note, in OpenBSD 3.7, and -current, they switched to
> >> GCC-3.3.5
> >> # gcc -v
> >> Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.7/3.3.5/
> >> specs
> >> Configured with:
> >> Thread model: single
> >> gcc version 3.3.5 (propolice)
> >> #
> >>
> >>
> >>
> >> Question: I noticed that in 2.3.3, if I was using http_inspect,
> >> that I would get pattern matches as well as the preprocessor
> >> alerts. Since running 2.4.0, when the RBOT HTTP garbage hits my
> >> sensor, http_inspect is firing its oversized_uri alert, but I no
> >> longer get the bleeding snort rules that should trigger on this
> >> (also the mod_jrun community rule). Is this an optimization to not
> >> pattern match when the preprocessor can handle the traffic? (which
> >> is cool), or something else?
> >>
> >> Shirkdog
> >> http://www.shirkdog.us
> >>
> >>
> >>
> >>
> >>> From: Martin Roesch <roesch at ...402...>
> >>> To: M Raju <protocoljunkie at ...2499...>
> >>> CC: snort-devel at lists.sourceforge.net, snort-team at ...402...
> >>> Subject: Re: [Snort-devel] Snort 2.4 Released!
> >>> Date: Wed, 3 Aug 2005 10:41:08 -0400
> >>>
> >>> Hi Raju,
> >>>
> >>> I'm checking it out.  I did a test build on OpenBSD 3.4 before
> >>> shipping, let me see if a problem slipped in there someplace...
> >>>
> >>>      -Marty
> >>>
> >>>
> >>> On Aug 3, 2005, at 7:55 AM, M Raju wrote:
> >>>
> >>>
> >>>> Marty,
> >>>>  Just wanted to let you know that 2.4 compile on OpenBSD-current
> >>>> fails. Not sure if any builds were tested on OpenBSD (I am
> >>>> setting up
> >>>> a 3.7-stable box to see it is an OBSD issue). I know you were
> >>>> working
> >>>> on RH9 rpms (yikes!), but perhaps *BSD were not added for 2.4
> >>>> testing?
> >>>> Thanks.
> >>>>
> >>>> _Raju
> >>>>
> >>>> -
> >>>>
> >>>> local/include -DLIBNET_BSDISH_OS -DLIBNET_LIL_ENDIAN  -g -O2 -
> >>>> Wall -c
> >>>> spp_stream4.c
> >>>> spp_stream4.c: In function `DeleteSession':
> >>>> spp_stream4.c:3661: error: `FLUSH_DELAY' undeclared (first use
> >>>> in  this function)
> >>>> spp_stream4.c:3661: error: (Each undeclared identifier is
> >>>> reported  only once
> >>>> spp_stream4.c:3661: error: for each function it appears in.)
> >>>> *** Error code 1
> >>>>
> >>>> Stop in /usr/local/src/snort-2.4.0/src/preprocessors.
> >>>> *** Error code 1
> >>>>
> >>>> Stop in /usr/local/src/snort-2.4.0/src/preprocessors (line 285
> >>>> of  Makefile).
> >>>> *** Error code 1
> >>>>
> >>>> Stop in /usr/local/src/snort-2.4.0/src (line 334 of Makefile).
> >>>> *** Error code 1
> >>>>
> >>>> Stop in /usr/local/src/snort-2.4.0 (line 303 of Makefile).
> >>>> *** Error code 1
> >>>>
> >>>> Stop in /usr/local/src/snort-2.4.0 (line 180 of Makefile).
> >>>>
> >>>>
> >>>> On 7/28/05, Martin Roesch <roesch at ...402...> wrote:
> >>>>
> >>>>
> >>>>> Nothing sinister, just dropped the ball between Jeremy leaving
> >>>>> and me
> >>>>> picking things up.  I'll take a look and get them in shortly if
> >>>>> I  can.
> >>>>>
> >>>>>       -Marty
> >>>>>
> >>>>>
> >>>>> On Jul 28, 2005, at 6:46 PM, Erik de Castro Lopo wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>> On Thu, 28 Jul 2005 11:50:34 -0400
> >>>>>> Jennifer Steffens <jennifer.steffens at ...402...> wrote:
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> Hey Everyone,
> >>>>>>>
> >>>>>>> Snort v2.4 is now officially available. This release includes a
> >>>>>>> number
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> <snip>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> If you have any feedback, let us know - snort-
> >>>>>>> team at ...2780...
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> I was rather disappointed that the two patch I sent in:
> >>>>>>
> >>>>>>      http://www.webservertalk.com/message1053302.html
> >>>>>>      http://sourceforge.net/mailarchive/forum.php?
> >>>>>> thread_id=7172477&forum_id=7142
> >>>>>>
> >>>>>> have not been applied. Both are smal localaised easily
> >>>>>> verifiable changes.
> >>>>>>
> >>>>>> Have these been dropped by mistake or were they rejected for some
> >>>>>> other reason?
> >>>>>>
> >>>>>> Erik
> >>>>>> --
> >>>>>> -------------------------------------------------------
> >>>>>> [N] Erik de Castro Lopo, Senior Computer Engineer
> >>>>>> [E] erik.de.castro.lopo at ...2292...
> >>>>>> [W] http://www.sensorynetworks.com
> >>>>>> [T] +61 2 83022726
> >>>>>> [F] +61 2 94750316
> >>>>>> [A] L6/140 William St, East Sydney NSW 2011, Australia
> >>>>>> -------------------------------------------------------
> >>>>>> "Premature optimization is the root of all evil" - C.A.R.Hoare
> >>>>>> "If it doesn't work, don't optimize." - Christian Bau
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> --
> >>>>> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> >>>>> Sourcefire - Network Defense for the Real World - http://
> >>>>> www.sourcefire.com
> >>>>> Snort: Open Source Intrusion Detection and Prevention - http://
> >>>>> www.snort.org
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> -------------------------------------------------------
> >>>>> SF.Net email is Sponsored by the Better Software Conference &
> >>>>> EXPO  September
> >>>>> 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> >>>>> Agile & Plan-Driven Development * Managing Projects & Teams *
> >>>>> Testing & QA
> >>>>> Security * Process Improvement & Measurement * http://
> >>>>> www.sqe.com/ bsce5sf
> >>>>> _______________________________________________
> >>>>> Snort-devel mailing list
> >>>>> Snort-devel at lists.sourceforge.net
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> May the packets be with you.
> >>>>
> >>>>
> >>>>
> >>>
> >>> --
> >>> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> >>> Sourcefire - Network Defense for the Real World - http://
> >>> www.sourcefire.com
> >>> Snort: Open Source Intrusion Detection and Prevention - http://
> >>> www.snort.org
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> -------------------------------------------------------
> >>> SF.Net email is sponsored by: Discover Easy Linux Migration
> >>> Strategies
> >>> from IBM. Find simple to follow Roadmaps, straightforward articles,
> >>> informative Webcasts and more! Get everything you need to get up to
> >>> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> >>> _______________________________________________
> >>> Snort-devel mailing list
> >>> Snort-devel at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>
> >>
> >> _________________________________________________________________
> >> Is your PC infected? Get a FREE online computer virus scan from
> >> McAfee(r) Security. http://clinic.mcafee.com/clinic/ibuy/
> >> campaign.asp?cid=3963
> >>
> >>
> >>
> >> -------------------------------------------------------
> >> SF.Net email is sponsored by: Discover Easy Linux Migration
> >> Strategies
> >> from IBM. Find simple to follow Roadmaps, straightforward articles,
> >> informative Webcasts and more! Get everything you need to get up to
> >> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> >> _______________________________________________
> >> Snort-devel mailing list
> >> Snort-devel at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>
> >
> > _________________________________________________________________
> > Don't just search. Find. Check out the new MSN Search! http://
> > search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> >
> 
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Network Defense for the Real World - http://
> www.sourcefire.com
> Snort: Open Source Intrusion Detection and Prevention - http://
> www.snort.org
> 
> 
> 
> 


-- 
May the packets be with you.




More information about the Snort-devel mailing list