[Snort-users] libpcap question?

J. Craig Woods drjung at ...5405...
Sun Sep 15 13:17:02 EDT 2002


Jason Costomiris wrote:
> 
> On Sun, Sep 15, 2002 at 12:51:47PM -0500, J. Craig Woods wrote:
> : > That RPM was built against RedHat.  Get the SRPM and rpm --rebuild to suit
> : > your system's lib versions..
> :
> : Yea, I could see that it was built for RedHat but when trying to rebuild
> : the src rpm, I was getting mysql-devel dependency problems, even though
> : I have all the mysql components installed, including mysql-devel.
> 
> You're on Mandrake, right?  You don't have a mysql-devel package.  You
> have a libmysql10-devel package, or so it seems.
> 
> Besides, you seem to be using the Mandrake cooker, which already has snort
> rpms in it, why not use them?
> 
 
Yes and no. First, I am running my gateway/router machine with older
mandrake version, LMDK7.2 (No thanks, I do not want to upgrade. Too much
work has gone into this baby, i.e. some very extensive, manually
created, ipchains rules, hand-crafted tripwire configuration with every
file loaded, and many other cooker and "homemade" customizations). As I
indicated, it is fully loaded with mysql components:

"rpm -qa | grep MySQL"

MySQL-client-3.23.31-1.1mdk
MySQL-devel-3.23.31-1.1mdk
MySQL-shared-3.23.31-1.1mdk
MySQL-3.23.31-1.1mdk
MySQL-bench-3.23.31-1.1mdk

Still snort src (snort.org version) would not compile for me. As I
indicated, it gave me some gibberish about not finding mysql-devel.
Maybe a "case" problem, you think?

Mandrake cooker version of snort-1.8.7 requires GLIBC 2.2, which 7.2
does not have, and I am not willing to break most everything in the OS
to upgrade GLIBC. So the new mandrake snort version is a *no* go for me.
I wanted the latest rpm version of snort, and Snort-1.8.7-1snort, from
snort.org, works nicely for my box, once I hacked on the lib thing, i.e.
setup some symlinks.

Here is a question for you, Jason: What is going on with your MTA?
Evertime my mail server receives mail from you, I get alerts:

[**] [1:654:5] SMTP RCPT TO overflow [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
09/15-13:37:37.425611 146.145.196.12:39458 -> 4.64.80.236:25
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:1765
***AP*** Seq: 0x2BC79AD  Ack: 0x745A5EE  Win: 0x7D78  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0260]
[Xref => http://www.securityfocus.com/bid/2283] 

(When posting to snort list, I have never understood the need to
obfuscate IP addresses: they are all in the mail headers, right?)      

Any thoughts on this alert?

drjung


-- 
J. Craig Woods
UNIX Network/System Administration
http://www.trismegistus.net/resume.html
Character is built upon the debris of despair --Emerson




More information about the Snort-users mailing list