[Snort-users] Building snort

Jon Urionaguena juriona at ...14264...
Wed May 14 10:30:36 EDT 2008


Thanx Todd,

That was all!! I skipped a "config enable" sentence in the config file. 
This happens because of using a sample file and commenting lines...

Anyway, same config file for another snort binnary didn't show up so 
many warnings!! Why could that happen?

The system is a Debian Etch amd64 running on a Dual Core Xeon 1.6 GHz 
(Dell PE2950), 4 GB RAM and an Intel Pro/1000 PT card sniffing all the 
traffic (4 links of 1Gbps spanned (Cisco) to one).

Regards,

Jon

Todd Wease escribió:
> Do you have the following option in your snort.conf:
>
> config enable_decode_oversized_alerts
>
> This should be the option that enables that alert.
>
> Still I'm guessing that something else is wrong.  What kind of OS are
> you running on?
>
> Jon Urionaguena wrote:
>   
>> Thanx Todd,
>>
>> The output I´m using is:
>>
>> output log_unified: filename snort, limit 9000
>>
>> Which, in my system, logs text to an alert file, and binary format to
>> snort.log. Both files are growing too fast. The alert one is the one I
>> can "normally" read (text), that's why I suppose that the origin of this
>> warning is the one that makes snort log every packet in the unified
>> format. I can be in a big mistake... I will change the output and have a
>> look at the logs in a tcpdump format reader (aka wireshark) and give
>> more feedback.
>>
>>     
>>> It should read that the IP datagram length is greater than the pcap
>>>       
>> captured length from the IP header on.
>> We have the option "config disable_decode_alerts" set...
>> Could it be an error with the pf_ring and modified libpcap
>> implementation we are using?
>>
>>     
>>> Are you specifying a snaplen to snort?
>>>       
>> No, I'm not. The thing is that a 2.7 binnary works ok (seems to...) with
>> the same config file and same startup options. That's why I'm supposing
>> that the error is not in the config, but in the binnaries... Maybe a
>> compilation option. Don't know any.
>>
>> Regards,
>>
>> Jon
>>
>> Todd Wease escribió:
>>     
>>> Hello Jon,
>>>
>>> This message is actually wrong:
>>>
>>> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
>>>
>>> It should read that the IP datagram length is greater than the pcap
>>> captured length from the IP header on.
>>>
>>> Also, you shouldn't see messages like that in a unified file and I'm not
>>> sure any postprocessor would show the data that way.  Sounds like you're
>>> just looking at a text alert file.
>>>
>>> Are you specifying a snaplen to snort?  If so, remove it.  If not, try
>>> logging in tcpdump mode and look at the resulting snort.log.<timestamp>
>>> in Wireshark and see what those packets look like.
>>>
>>> Todd
>>>
>>> Jon Urionaguena wrote:
>>>  
>>>       
>>>> Hi all,
>>>>
>>>> I am building a high speed IDS system trying to use pfring
>>>> extensions, with libpcap modified. I'm trying to work with unified
>>>> output format.
>>>>
>>>> Kernel is built ok. New libpcap seems ok too.
>>>>
>>>> When I build snort (downloaded 2.7 and 2.8.1),  I try to make it
>>>> static building against the libpcap.a just generated. All I can see
>>>> is that the resulting binnary does not give any dependence (ldd)
>>>> against any libpcap.
>>>>
>>>> So I launch it... But the unified file format it generates is wrong
>>>> because it´s full of messages of this kind:
>>>>
>>>> "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]"
>>>>
>>>> Even if we have the option to avoid these messages in snort.conf. I
>>>> guess I get a message for each packet we receive... The logs get
>>>> enormous (50 Mbps link) and without any value.
>>>>
>>>> Any hint?? Any other data I should supply?
>>>>
>>>> On the other side, I have an old snort binnary linked to the modified
>>>> libpcap (that's what ldd says...) that seems to work ok (loads pfring
>>>> on startup and gives normal alerts), but I compiled it before we had
>>>> the pfring change (kernel and new libpcaps)??? It shouldn't work this
>>>> way.
>>>>
>>>> Building snort is being a strange experience for me, because I get to
>>>> many issues I can not fully understand... The flags I try to pass to
>>>> configure script never seem to do anything... I'm turning crazy.
>>>>
>>>> Thanx in advance,
>>>>
>>>>     
>>>>         
>>>   
>>>       
>
>
>   

-- 

Jon 





More information about the Snort-users mailing list