[Snort-openappid] Snort exits when using appid

Mike Stepanek (mstepane) mstepane at ...5...
Tue Sep 1 10:50:32 EDT 2015


Also, if you configure Snort with "--enable-debug" and remake it, that might make for a better backtrace.

From: Mike Stepanek (mstepane)
Sent: Tuesday, September 01, 2015 10:48 AM
To: Gabriel Corre; Costas Kleopa (ckleopa)
Cc: snort-openappid at lists.sourceforge.net
Subject: Re: [Snort-openappid] Snort exits when using appid

I'm not having much luck reproducing what you're seeing.

Given that, if you're up for it, the most useful thing at this point would be to get a gdb stack trace on it then.  If you have gdb available, you can do a "gdb --args" in front of the snort command, and then "run" it.  When it segv's, a backtrace ("bt") would be a big help probably (sorry for being overly instructional).

From: Gabriel Corre [mailto:gabriel.corre at ...94...]
Sent: Tuesday, September 01, 2015 10:41 AM
To: Mike Stepanek (mstepane); Costas Kleopa (ckleopa)
Cc: snort-openappid at lists.sourceforge.net
Subject: RE: [Snort-openappid] Snort exits when using appid

Well, echo $? return 139.

--

Gabriel C


De : Mike Stepanek (mstepane) [mailto:mstepane at ...5...]
Envoyé : mardi 1 septembre 2015 16:37
À : Gabriel Corre <gabriel.corre at ...94...>; Costas Kleopa (ckleopa) <ckleopa at ...5...>
Cc : snort-openappid at lists.sourceforge.net
Objet : RE: [Snort-openappid] Snort exits when using appid

OK, it's a little tough to tell if it's punting in AppID or somewhere else (those are the last messages you would see from AppID in a normal case).  I'm curious what return code you're getting.  Can you run Snort and then do an "echo $?" afterward?

From: Gabriel Corre [mailto:gabriel.corre at ...94...]
Sent: Tuesday, September 01, 2015 9:48 AM
To: Mike Stepanek (mstepane); Costas Kleopa (ckleopa)
Cc: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...11...ceforge.net>
Subject: RE: [Snort-openappid] Snort exits when using appid

Nop sir, just a miss-click. It's a normal i !

--

Gabriel Corré
Ingénieur Réseaux, Ops - Core Infrastructure

De : Mike Stepanek (mstepane) [mailto:mstepane at ...5...]
Envoyé : mardi 1 septembre 2015 15:33
À : Gabriel Corre <gabriel.corre at ...94...<mailto:gabriel.corre at ...94...>>; Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>>
Cc : snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>
Objet : RE: [Snort-openappid] Snort exits when using appid

Is that a capital i for the "-i eth0"?

- Mike

From: Gabriel Corre [mailto:gabriel.corre at ...94...]
Sent: Tuesday, September 01, 2015 9:18 AM
To: Mike Stepanek (mstepane); Costas Kleopa (ckleopa)
Cc: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...11...ceforge.net>
Subject: RE: [Snort-openappid] Snort exits when using appid

Sorry I forgot the command line : sudo snort -c ./snort.conf -I eth0

--

Gabriel C.
De : Gabriel Corre [mailto:gabriel.corre at ...94...]
Envoyé : mardi 1 septembre 2015 15:14
À : Mike Stepanek (mstepane) <mstepane at ...5...<mailto:mstepane at ...5...>>; Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>>
Cc : snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>
Objet : Re: [Snort-openappid] Snort exits when using appid

I built Snort using this command : ./configure -enable-sourcefire -enable-open-appid. I installed Snort using the "Snort IPS tutorial" which is on snort.org
My detector folder should be : "/usr/src/snort-2.9.7.5/src/dynamic-preprocessors/appid"
My appid conf folder is : "/usr/local/etc/cisco/app/odp"

Do you need something else?
Thanks for your help!

--

Gabriel C.

De : Mike Stepanek (mstepane) [mailto:mstepane at ...5...]
Envoyé : mardi 1 septembre 2015 14:54
À : Costas Kleopa (ckleopa) <ckleopa at ...5...<mailto:ckleopa at ...5...>>; Gabriel Corre <gabriel.corre at ...94...<mailto:gabriel.corre at ...94...>>
Cc : snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...7...rceforge.net>
Objet : RE: [Snort-openappid] Snort exits when using appid

Also, if you can include the command line that you're using, that would be good too.  If you can get a complete dump of stdout/stderr from Snort too (rather than just the clip below), that would be great too.

Thanks!

- Mike Stepanek
   mstepane at ...5...<mailto:mstepane at ...5...>

From: Costas Kleopa (ckleopa)
Sent: Tuesday, September 01, 2015 8:49 AM
To: Gabriel Corre
Cc: snort-openappid at lists.sourceforge.net<mailto:snort-openappid at ...11...ceforge.net>
Subject: Re: [Snort-openappid] Snort exits when using appid

That userappid file is optional, it should not be the reason for your failure.
Could you send us your snort.conf file, tell us how you build snort, and where your detectors folder is located?

Thanks
Costas

On Sep 1, 2015, at 8:30 AM, Gabriel Corre <gabriel.corre at ...94...<mailto:gabriel.corre at ...94...>> wrote:

Hi !

I'm currently working on getting snort working with openappid and I think I'm pretty close.
However, when I'm launching Snort I get :
Could not read configuration file /usr/local/etc/cisco/app/custom/userappid.conf
LuaJIT: Version LuaJIT 2.0.2
    Setting tracker size to 211
AppInfo: AppId 3861 is UNKNOWN
AppInfo: AppId 3970 is UNKNOWN
AppInfo: AppId 939 is UNKNOWN
AppInfo: AppId 939 is UNKNOWN
AppInfo: AppId 1697 is UNKNOWN
AppInfo: AppId 3971 is UNKNOWN
AppInfo: AppId 3971 is UNKNOWN
    TCP Port-Only Services

And Snort exits whithout any error message.
I cannot find the "userappid.conf" but not sure this is the pb.





This is my Snort info :
Version 2.9.7.5 GRE (Build 262)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 2.4  <Build 1>
           Preprocessor Object: SF_POP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 4>
           Preprocessor Object: SF_REPUTATION  Version 1.1  <Build 1>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 3>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 3>
           Preprocessor Object: SF_IMAP  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNP3  Version 1.1  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 9>
           Preprocessor Object: SF_SDF  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 4>
           Preprocessor Object: SF_SIP  Version 1.1  <Build 1>
           Preprocessor Object: APPID  Version 1.1  <Build 4>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 13>


Any Idea?

Cheers
--

Gabriel Corré
Ingénieur Réseaux, Ops - Core Infrastructure

------------------------------------------------------------------------------
_______________________________________________
Snort-openappid mailing list
Snort-openappid at lists.sourceforge.net<mailto:Snort-openappid at ...12...rge.net>
https://lists.sourceforge.net/lists/listinfo/snort-openappid

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20150901/026790cd/attachment.html>


More information about the Snort-openappid mailing list