[Snort-users] Building snort

Todd Wease twease at ...1935...
Wed May 14 10:05:43 EDT 2008


Do you have the following option in your snort.conf:

config enable_decode_oversized_alerts

This should be the option that enables that alert.

Still I'm guessing that something else is wrong.  What kind of OS are
you running on?

Jon Urionaguena wrote:
> Thanx Todd,
> 
> The output I´m using is:
> 
> output log_unified: filename snort, limit 9000
> 
> Which, in my system, logs text to an alert file, and binary format to
> snort.log. Both files are growing too fast. The alert one is the one I
> can "normally" read (text), that's why I suppose that the origin of this
> warning is the one that makes snort log every packet in the unified
> format. I can be in a big mistake... I will change the output and have a
> look at the logs in a tcpdump format reader (aka wireshark) and give
> more feedback.
> 
>> It should read that the IP datagram length is greater than the pcap
> captured length from the IP header on.
> We have the option "config disable_decode_alerts" set...
> Could it be an error with the pf_ring and modified libpcap
> implementation we are using?
> 
>>Are you specifying a snaplen to snort?
> No, I'm not. The thing is that a 2.7 binnary works ok (seems to...) with
> the same config file and same startup options. That's why I'm supposing
> that the error is not in the config, but in the binnaries... Maybe a
> compilation option. Don't know any.
> 
> Regards,
> 
> Jon
> 
> Todd Wease escribió:
>> Hello Jon,
>>
>> This message is actually wrong:
>>
>> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
>>
>> It should read that the IP datagram length is greater than the pcap
>> captured length from the IP header on.
>>
>> Also, you shouldn't see messages like that in a unified file and I'm not
>> sure any postprocessor would show the data that way.  Sounds like you're
>> just looking at a text alert file.
>>
>> Are you specifying a snaplen to snort?  If so, remove it.  If not, try
>> logging in tcpdump mode and look at the resulting snort.log.<timestamp>
>> in Wireshark and see what those packets look like.
>>
>> Todd
>>
>> Jon Urionaguena wrote:
>>  
>>> Hi all,
>>>
>>> I am building a high speed IDS system trying to use pfring
>>> extensions, with libpcap modified. I'm trying to work with unified
>>> output format.
>>>
>>> Kernel is built ok. New libpcap seems ok too.
>>>
>>> When I build snort (downloaded 2.7 and 2.8.1),  I try to make it
>>> static building against the libpcap.a just generated. All I can see
>>> is that the resulting binnary does not give any dependence (ldd)
>>> against any libpcap.
>>>
>>> So I launch it... But the unified file format it generates is wrong
>>> because it´s full of messages of this kind:
>>>
>>> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
>>>
>>> Even if we have the option to avoid these messages in snort.conf. I
>>> guess I get a message for each packet we receive... The logs get
>>> enormous (50 Mbps link) and without any value.
>>>
>>> Any hint?? Any other data I should supply?
>>>
>>> On the other side, I have an old snort binnary linked to the modified
>>> libpcap (that's what ldd says...) that seems to work ok (loads pfring
>>> on startup and gives normal alerts), but I compiled it before we had
>>> the pfring change (kernel and new libpcaps)??? It shouldn't work this
>>> way.
>>>
>>> Building snort is being a strange experience for me, because I get to
>>> many issues I can not fully understand... The flags I try to pass to
>>> configure script never seem to do anything... I'm turning crazy.
>>>
>>> Thanx in advance,
>>>
>>>     
>>
>>
>>   
> 





More information about the Snort-users mailing list