[Snort-users] Building snort

Jon Urionaguena juriona at ...14264...
Wed May 14 07:51:15 EDT 2008


Hi all,

I am building a high speed IDS system trying to use pfring extensions, 
with libpcap modified. I'm trying to work with unified output format.

Kernel is built ok. New libpcap seems ok too.

When I build snort (downloaded 2.7 and 2.8.1),  I try to make it static 
building against the libpcap.a just generated. All I can see is that the 
resulting binnary does not give any dependence (ldd) against any libpcap.

So I launch it... But the unified file format it generates is wrong 
because it´s full of messages of this kind:

"[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"

Even if we have the option to avoid these messages in snort.conf. I 
guess I get a message for each packet we receive... The logs get 
enormous (50 Mbps link) and without any value.

Any hint?? Any other data I should supply?

On the other side, I have an old snort binnary linked to the modified 
libpcap (that's what ldd says...) that seems to work ok (loads pfring on 
startup and gives normal alerts), but I compiled it before we had the 
pfring change (kernel and new libpcaps)??? It shouldn't work this way.

Building snort is being a strange experience for me, because I get to 
many issues I can not fully understand... The flags I try to pass to 
configure script never seem to do anything... I'm turning crazy.

Thanx in advance,

-- 

Jon 





More information about the Snort-users mailing list