[Snort-openappid] Configuration Problem

Jim Campbell jim at w4bqp.net
Sat Jun 17 07:13:10 EDT 2017


Noah,

I did everything but delete the Snort binary and configuration 
directory. But I don't understand deleting the configuration directory. 
That's where all my configuration modifications are kept. Do I really 
need to re-enter all my configuration data? Please clarify.

Thanks for the help.

Jim

On 6/17/2017 2:12 AM, Noah Dietrich wrote:
> Hi Jim,
>
> I re-ran this install on a new Ubuntu 16 x64 install and did not 
> encounter the issue you are seeing,  I've tried with the unified2 
> settings you have above, and i'm again not able to recreate the 
> problem. I suspect that you've either not re-compiled snort with 
> OpenAppID support, or you're using a compiled version of snort without 
> OpenAppID.
>
> Did you first delete old version of the snort binary and configuration 
> directory before trying to compile snort with OpenAppID?  When you 
> compiled snort, did you use both options:
> |--||enable||-sourcefire --||enable||-||open||-appid|
>
> Did you check the output of that command to see if there were any 
> issues? I usually run it a second time, as follows to see if any 
> software features were not enabled, as follows:
> ./configure --enable-sourcefire --enable-open-appid
>     (make sure the output succeded)
> ./configure --enable-sourcefire --enable-open-appid | grep '... no'
>     (look for anything that should have been enabled that is not 
> enabled. you'll see some no's here, but they aren't required for the 
> most part)
>
> As for the other error you referenced, it's not related to this issue. 
> The problem was that if OpenAppID was compiled in, all U2 output was 
> version 2 of the unified2 format, which doesn't work with a lot of 
> tools out there.
>
> Noah
>
>
>
>
>
>
> On Thu, Jun 15, 2017 at 9:27 PM, Jim Campbell <jim at w4bqp.net 
> <mailto:jim at w4bqp.net>> wrote:
>
>     Fresh off my success yesterday of getting Snort 2.9.9.0 to work in
>     inline IPS mode I decided to upgrade to OpenAppID. I used the
>     instructions in
>     sublimerobots.com/2017/01/installing-openappid-with-snort-2-9-9-x-on-ubuntu/
>     <http://sublimerobots.com/2017/01/installing-openappid-with-snort-2-9-9-x-on-ubuntu/>
>     All went well until I got to the part where I ran Snort in test
>     mode to check out my snort.conf changes. (I installed the most
>     current version of the Application Detector Package (5411).)
>
>     All went well until I got to this part:
>
>     ...
>       Finished Loading all dynamic preprocessor libs from
>     /usr/local/lib/snort_dynamicpreprocessor/
>     Log directory = /var/log/snort
>     ERROR: Argument Error in /etc/snort/snort.conf(529): appid_event_types
>     Fatal Error, Quitting..
>     ...
>
>     This is the pertinent section of snort.conf:
>
>     # unified2
>     # Recommended for most installs
>     # output unified2: filename merged.log, limit 128, nostamp,
>     mpls_event_types, vlan_event_types
>     output unified2: filename snort.u2, limit 128
>     output unified2: filename snort.log, limit 128, appid_event_types
>
>     Searching for help in the archives I discovered that Noah Dietrich
>     had a similar problem but it occurred when he was testing
>     Barnyard2. His post is at: http://seclists.org/snort/2016/q1/290
>     <http://seclists.org/snort/2016/q1/290> It didn't appear that he
>     got an answer.
>
>     Is there an answer or is OpenAppID broken?
>
>     Thanks,
>
>     Jim
>
>     -- 
>     "We are not human beings having a spiritual experience;
>     we are spiritual beings having a human experience."
>     ---Pierre Teilhard de Chardin
>
>     _______________________________________________
>     Snort-openappid mailing list
>     Snort-openappid at lists.snort.org
>     <mailto:Snort-openappid at lists.snort.org>
>     https://lists.snort.org/mailman/listinfo/snort-openappid
>     <https://lists.snort.org/mailman/listinfo/snort-openappid>
>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20170617/8bb46d46/attachment.html>


More information about the Snort-openappid mailing list