[Snort-users] Building snort
juriona at ...14264...
Wed May 14 07:51:15 EDT 2008
I am building a high speed IDS system trying to use pfring extensions,
with libpcap modified. I'm trying to work with unified output format.
Kernel is built ok. New libpcap seems ok too.
When I build snort (downloaded 2.7 and 2.8.1), I try to make it static
building against the libpcap.a just generated. All I can see is that the
resulting binnary does not give any dependence (ldd) against any libpcap.
So I launch it... But the unified file format it generates is wrong
because it´s full of messages of this kind:
"[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
Even if we have the option to avoid these messages in snort.conf. I
guess I get a message for each packet we receive... The logs get
enormous (50 Mbps link) and without any value.
Any hint?? Any other data I should supply?
On the other side, I have an old snort binnary linked to the modified
libpcap (that's what ldd says...) that seems to work ok (loads pfring on
startup and gives normal alerts), but I compiled it before we had the
pfring change (kernel and new libpcaps)??? It shouldn't work this way.
Building snort is being a strange experience for me, because I get to
many issues I can not fully understand... The flags I try to pass to
configure script never seem to do anything... I'm turning crazy.
Thanx in advance,
More information about the Snort-users