[Snort-users] Snort on Leopard 10.5.4...getting there

James Lay jlay at ...13475...
Sat Sep 13 14:26:07 EDT 2008




On 9/13/08 10:59 AM, "Martin Roesch" <mroesch at ...1935...> wrote:

> What's the command line and snort.conf file you're using with Snort
> when it errors out?  If you look in the BUGS file that comes with the
> source distro you'll see all the info we need and where to send it to
> diagnose your problem.
> 
> Marty
> 
> On Sat, Sep 13, 2008 at 9:56 AM, James Lay <jlay at ...13475...> wrote:
>> So I've got snort 2.8.3 running right now on Leo 10.5.4 (YaY).  Dynamic
>> preprocessors tank with a Bus Error however.  Who do I send the crash log
>> to?  Also, does anyone have a good plist startup file for snort on OS X?
>>  Everything works but the filter option (example:  "ip and not host bleh")
>> doesn't seem to get passed correctly to snort:
>> 
>> Sep  9 19:51:30 slave-tothe-box snort[346]: FATAL ERROR: OpenPcap() FSM
>> compilation failed: \n        illegal token: "\nPCAP command: "ip and not
>> port 21746"
>> 
>> Of course, running command line it works just fine (have I mentioned how
>> much I loathe launchd?).
>> 
>> Danke folks
>> 
>> James

The command line is:

/usr/snort/bin/snort -i ppp0 -D -u nobody -g nobody  -o -c
/usr/snort/etc/snort/snort.conf -l /usr/snort/var/log  "ip and not port
21746"

I used Lingon to create a .plist file and after removing the ""'s from the
filter it works now.  This changed from:

         <string>/usr/snort/var/log</string>
        <string>"ip</string>
        <string>and</string>
        <string>not</string>
        <string>port</string>
        <string>21746"</string>
    </array>

To

        <string>ip and not port 21746</string>
    </array>

This works fine now.

As for the snort.conf, I had to comment out all the dynamic preprocessor
jazz to get it to run without a Bus Error:

#dynamicpreprocessor directory /usr/snort/lib/snort_dynamicpreprocessor/
#dynamicengine /usr/snort/lib/snort_dynamicengine/libsf_engine.dylib
#dynamicdetection directory /usr/snort/lib/snort_dynamicrule/

and the dns, smtp, dce, and telnet/ftp dynamic preprocessors.  Once that was
done it came up with no error.  I'll look through the BUGS and send along,
but here's some of the info from the crash file:

Process:         snort [72780]
Path:            /usr/snort/bin/snort
Identifier:      snort
Version:         ??? (???)
Code Type:       PPC (Native)
Parent Process:  bash [71934]

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000
Crashed Thread:  0

Thread 0 Crashed:
0   ???                               0000000000 0 + 0
1   libsf_ssl_preproc.0.0.0.dylib     0x022c27d0 InitializePreprocessor +
432
2   snort                             0x0004d194
InitDynamicPreprocessorPlugins + 84
3   snort                             0x0004d50c InitDynamicPreprocessors +
588
4   snort                             0x0001da84 SnortMain + 2276
5   snort                             0x000024b4 start + 68
6   ???                               0000000000 0 + 0

Thanks Marty,

James






More information about the Snort-users mailing list