[Snort-users] Building snort
twease at ...1935...
Wed May 14 08:55:00 EDT 2008
This message is actually wrong:
"[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
It should read that the IP datagram length is greater than the pcap
captured length from the IP header on.
Also, you shouldn't see messages like that in a unified file and I'm not
sure any postprocessor would show the data that way. Sounds like you're
just looking at a text alert file.
Are you specifying a snaplen to snort? If so, remove it. If not, try
logging in tcpdump mode and look at the resulting snort.log.<timestamp>
in Wireshark and see what those packets look like.
Jon Urionaguena wrote:
> Hi all,
> I am building a high speed IDS system trying to use pfring extensions,
> with libpcap modified. I'm trying to work with unified output format.
> Kernel is built ok. New libpcap seems ok too.
> When I build snort (downloaded 2.7 and 2.8.1), I try to make it static
> building against the libpcap.a just generated. All I can see is that the
> resulting binnary does not give any dependence (ldd) against any libpcap.
> So I launch it... But the unified file format it generates is wrong
> because it´s full of messages of this kind:
> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
> Even if we have the option to avoid these messages in snort.conf. I
> guess I get a message for each packet we receive... The logs get
> enormous (50 Mbps link) and without any value.
> Any hint?? Any other data I should supply?
> On the other side, I have an old snort binnary linked to the modified
> libpcap (that's what ldd says...) that seems to work ok (loads pfring on
> startup and gives normal alerts), but I compiled it before we had the
> pfring change (kernel and new libpcaps)??? It shouldn't work this way.
> Building snort is being a strange experience for me, because I get to
> many issues I can not fully understand... The flags I try to pass to
> configure script never seem to do anything... I'm turning crazy.
> Thanx in advance,
More information about the Snort-users