[Snort-openappid] Configuration Problem

Noah Dietrich noah_dietrich at 86penny.org
Sat Jun 17 02:12:56 EDT 2017


Hi Jim,

I re-ran this install on a new Ubuntu 16 x64 install and did not encounter
the issue you are seeing,  I've tried with the unified2 settings you have
above, and i'm again not able to recreate the problem. I suspect that
you've either not re-compiled snort with OpenAppID support, or you're using
a compiled version of snort without OpenAppID.

Did you first delete old version of the snort binary and configuration
directory before trying to compile snort with OpenAppID?  When you compiled
snort, did you use both options:
--enable-sourcefire --enable-open-appid

Did you check the output of that command to see if there were any issues? I
usually run it a second time, as follows to see if any software features
were not enabled, as follows:
./configure --enable-sourcefire --enable-open-appid
    (make sure the output succeded)
./configure --enable-sourcefire --enable-open-appid | grep '... no'
    (look for anything that should have been enabled that is not enabled.
you'll see some no's here, but they aren't required for the most part)

As for the other error you referenced, it's not related to this issue. The
problem was that if OpenAppID was compiled in, all U2 output was version 2
of the unified2 format, which doesn't work with a lot of tools out there.

Noah






On Thu, Jun 15, 2017 at 9:27 PM, Jim Campbell <jim at w4bqp.net> wrote:

> Fresh off my success yesterday of getting Snort 2.9.9.0 to work in inline
> IPS mode I decided to upgrade to OpenAppID. I used the instructions in
> sublimerobots.com/2017/01/installing-openappid-with-snort-2-
> 9-9-x-on-ubuntu/ All went well until I got to the part where I ran Snort
> in test mode to check out my snort.conf changes. (I installed the most
> current version of the Application Detector Package (5411).)
>
> All went well until I got to this part:
>
> ...
>   Finished Loading all dynamic preprocessor libs from
> /usr/local/lib/snort_dynamicpreprocessor/
> Log directory = /var/log/snort
> ERROR: Argument Error in /etc/snort/snort.conf(529): appid_event_types
> Fatal Error, Quitting..
> ...
>
> This is the pertinent section of snort.conf:
>
> # unified2
> # Recommended for most installs
> # output unified2: filename merged.log, limit 128, nostamp,
> mpls_event_types, vlan_event_types
> output unified2: filename snort.u2, limit 128
> output unified2: filename snort.log, limit 128, appid_event_types
>
> Searching for help in the archives I discovered that Noah Dietrich had a
> similar problem but it occurred when he was testing Barnyard2. His post is
> at:  http://seclists.org/snort/2016/q1/290 It didn't appear that he got
> an answer.
>
> Is there an answer or is OpenAppID broken?
>
> Thanks,
>
> Jim
>
> --
> "We are not human beings having a spiritual experience;
> we are spiritual beings having a human experience."
> ---Pierre Teilhard de Chardin
>
> _______________________________________________
> Snort-openappid mailing list
> Snort-openappid at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-openappid
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170617/4e1b01da/attachment.html>


More information about the Snort-openappid mailing list