[Snort-devel] Minor notes snort-3.0.0-a1

Y M snort at ...3347...
Sat Dec 13 07:33:25 EST 2014



From: rucombs at ...3461...
To: snort at ...3347...
CC: snort-devel at lists.sourceforge.net
Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1
Date: Sat, 13 Dec 2014 12:27:52 +0000











From: Y M [snort at ...3347...]

Sent: Saturday, December 13, 2014 7:22 AM

To: Russ Combs (rucombs)

Cc: snort-devel at lists.sourceforge.net

Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1








Inline please.



From: rucombs at ...3461...

To: snort at ...3347...; snort-devel at lists.sourceforge.net

Subject: RE: [Snort-devel] Minor notes snort-3.0.0-a1

Date: Sat, 13 Dec 2014 12:02:08 +0000




Thanks for the report.  Comments below.






From: Y M [snort at ...3347...]

Sent: Saturday, December 13, 2014 4:28 AM

To: snort-devel at lists.sourceforge.net

Subject: [Snort-devel] Minor notes snort-3.0.0-a1






1. Difference in performance profiling configuration option when building snort with cmake vs. autotools:

    cmake accepts enable-perfprofiling but not enable-perf-profiling
    autotools accepts enable-perf-profiling but not enable-perfprofiling



* We will get cmake updated to match auto tools here.



-- Awesome, thanks.



2. When running snort, a fatal error may be generated:
     FATAL: can't init /usr/local/snort/etc/snort.lua: /usr/local/snort/etc/snort.lua:22: module 'snort_config' not found:
no field package.preload['snort_config']
no file './snort_config.lua'
no file '/usr/local/share/luajit-2.0.3/snort_config.lua'
no file '/usr/local/share/lua/5.1/snort_config.lua'
no file '/usr/local/share/lua/5.1/snort_config/init.lua'
no file './snort_config.so'
no file '/usr/local/lib/lua/5.1/snort_config.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
      Fatal Error, Quitting..



    snort_config.lua is not copied to /etc when installing snort. Manually copying snort_config.lua to /etc fixes the issue. 



* Did you export LUA_PATH to point to the directory where snort_config.lua is installed?  LUA_PATH is for required files, i.e. files loaded by LuaJIT automatically, whereas SNORT_LUA_PATH
 is for Snort configuration include paths.  The two are distinct and must be set correctly.



-- Yes:




dev at ...3545...:~$ echo $LUA_PATH
/usr/local/snort/include/snort/lua/?.lua;;
dev at ...3545...:~$ echo $SNORT_LUA_PATH
/usr/local/snort/etc




* So does this exist?



/usr/local/snort/include/snort/lua/snort_config.lua
-- Yes:
dev at ...3545...:~$ ls -l /usr/local/snort/include/snort/lua/total 8-rw-r--r-- 1 root root 3041 Dec 12 12:21 snort_config.lua-rw-r--r-- 1 root root 1531 Dec 12 12:21 snort_plugin.lua



3. Difference in dump_stats() when running with --shell and dump_stats() after running quit():



* This is a known issue already on the todo list.  Glad to see someone actually tried it.  :)



-- Glad to know its a known issue. Thanks.
    
    o")~ 
dump_stats()
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
--------------------------------------------------
Module Statistics
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
           local commands: 12
o")~ 



o")~ 
quit()
== stopping
o")~ 
-- [0] eth0
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                    pcaps: 1
                 received: 118
                 analyzed: 118
                    allow: 118
                     idle: 2
--------------------------------------------------
codec
                    total: 122        
(100.000%)
                 discards: 18          
( 14.754%)
                      arp: 2          
(  1.639%)
                      eth: 122        
(100.000%)
                    icmp4: 78          
( 63.934%)
                     ipv4: 120        
( 98.361%)
                      tcp: 36          
( 29.508%)
                      udp: 6          
(  4.918%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
back_orifice
                  packets: 3
--------------------------------------------------
binder
                  packets: 8
                 inspects: 8
--------------------------------------------------
perf_monitor
                  packets: 100
--------------------------------------------------
port_scan_global
                  packets: 98
--------------------------------------------------
stream
                tcp flows: 4
                udp flows: 3
               icmp flows: 1
--------------------------------------------------
stream_icmp
                  created: 1
                 released: 1
--------------------------------------------------
stream_tcp
                 sessions: 4
                 timeouts: 2
            data trackers: 4
         trackers created: 4
        trackers released: 4
              segs queued: 5
            segs released: 5
          client cleanups: 4
--------------------------------------------------
stream_udp
                 sessions: 3
                  created: 3
                 released: 3
--------------------------------------------------
tcp
       bad checksum (ip4): 15
--------------------------------------------------
udp
       bad checksum (ip4): 3
--------------------------------------------------
Summary Statistics
--------------------------------------------------
detection
                 analyzed: 118
--------------------------------------------------
process
           local commands: 15
--------------------------------------------------
timing
                  runtime: 00:02:49
                  seconds: 169.467279
                  packets: 118
                 pkts/sec: 0
o")~   Snort exiting



Thanks.
Yaser









 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20141213/b1c69667/attachment.html>


More information about the Snort-devel mailing list