[Snort-users] Building snort

Jon Urionaguena juriona at ...14264...
Wed May 14 09:12:55 EDT 2008


Thanx Todd,

The output I´m using is:

output log_unified: filename snort, limit 9000

Which, in my system, logs text to an alert file, and binary format to 
snort.log. Both files are growing too fast. The alert one is the one I 
can "normally" read (text), that's why I suppose that the origin of this 
warning is the one that makes snort log every packet in the unified 
format. I can be in a big mistake... I will change the output and have a 
look at the logs in a tcpdump format reader (aka wireshark) and give 
more feedback.

 > It should read that the IP datagram length is greater than the pcap 
captured length from the IP header on.
We have the option "config disable_decode_alerts" set...
Could it be an error with the pf_ring and modified libpcap 
implementation we are using?

 >Are you specifying a snaplen to snort?
No, I'm not. The thing is that a 2.7 binnary works ok (seems to...) with 
the same config file and same startup options. That's why I'm supposing 
that the error is not in the config, but in the binnaries... Maybe a 
compilation option. Don't know any.

Regards,

Jon

Todd Wease escribió:
> Hello Jon,
>
> This message is actually wrong:
>
> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
>
> It should read that the IP datagram length is greater than the pcap
> captured length from the IP header on.
>
> Also, you shouldn't see messages like that in a unified file and I'm not
> sure any postprocessor would show the data that way.  Sounds like you're
> just looking at a text alert file.
>
> Are you specifying a snaplen to snort?  If so, remove it.  If not, try
> logging in tcpdump mode and look at the resulting snort.log.<timestamp>
> in Wireshark and see what those packets look like.
>
> Todd
>
> Jon Urionaguena wrote:
>   
>> Hi all,
>>
>> I am building a high speed IDS system trying to use pfring extensions, 
>> with libpcap modified. I'm trying to work with unified output format.
>>
>> Kernel is built ok. New libpcap seems ok too.
>>
>> When I build snort (downloaded 2.7 and 2.8.1),  I try to make it static 
>> building against the libpcap.a just generated. All I can see is that the 
>> resulting binnary does not give any dependence (ldd) against any libpcap.
>>
>> So I launch it... But the unified file format it generates is wrong 
>> because it´s full of messages of this kind:
>>
>> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
>>
>> Even if we have the option to avoid these messages in snort.conf. I 
>> guess I get a message for each packet we receive... The logs get 
>> enormous (50 Mbps link) and without any value.
>>
>> Any hint?? Any other data I should supply?
>>
>> On the other side, I have an old snort binnary linked to the modified 
>> libpcap (that's what ldd says...) that seems to work ok (loads pfring on 
>> startup and gives normal alerts), but I compiled it before we had the 
>> pfring change (kernel and new libpcaps)??? It shouldn't work this way.
>>
>> Building snort is being a strange experience for me, because I get to 
>> many issues I can not fully understand... The flags I try to pass to 
>> configure script never seem to do anything... I'm turning crazy.
>>
>> Thanx in advance,
>>
>>     
>
>
>   

-- 

Jon 





More information about the Snort-users mailing list