[Snort-openappid] Large amounts of getShortHostFormat entries

James Lay jlay at ...45...
Thu May 21 12:42:13 EDT 2015


It is absolutely 241....however, the FIRST problem is that I'm an idiot 
:)  The second issue was I had two copies of odp, one in /opt, the other 
in /opt/share, the latter being where snort was pointing and I hadn't 
updated 8-| (user) Problem solved...thanks Cliff.

James

On 2015-05-21 09:24 AM, Cliff Judge (cljudge) wrote:
> What does your /opt/share/odp/version.conf say? It should be 241.
> That's what I see when I pull down and extract the latest ODP from
> snort.org.
> 
> ________________________________________
> From: James Lay [jlay at ...45...]
> Sent: Thursday, May 21, 2015 11:02 AM
> To: Cliff Judge (cljudge)
> Cc: openappid
> Subject: RE: [Snort-openappid] Large amounts of getShortHostFormat 
> entries
> 
> On 2015-05-21 07:45 AM, Cliff Judge (cljudge) wrote:
>> Hello James,
>> 
>> Thank you for your email. It is possible that the client_tds detector
>> is inspecting traffic that is not TDS, and is complaining because some
>> packets are missing fields that it thinks should be there.
>> 
>> But there was a bug we fixed several months ago which might also cause
>> this type of error. To make sure nothing weird is going on, could you
>> please run the following on your openappid box and paste the output:
>> 
>> grep getShortHost /opt/share/odp/lua/client_tds.lua
>> 
>> ________________________________________
>> From: James Lay [jlay at ...45...]
>> Sent: Thursday, May 21, 2015 8:42 AM
>> To: openappid
>> Subject: [Snort-openappid] Large amounts of getShortHostFormat entries
>> 
>> Topic says it...just updated this morning to the latest odp and yeesh:
>> 
>> May 21 06:23:24 gateway snort[2465]: client
>> /opt/share/odp/lua/client_tds.lua: error validating [string ""]:151:
>> attempt to call global 'getShortHostFormat' (a nil value)
>> 
>> at least 68 in the last 30 minutes.
>> 
>> James
> 
> Here it is..thank you.
> 
> tdsLength = getShortHostFormat(tdsLength)
> 
> James





More information about the Snort-openappid mailing list