[Snort-users] Snort 2.9.0 Now Available

Russ Combs rcombs at ...1935...
Tue Oct 5 08:32:17 EDT 2010

On Mon, Oct 4, 2010 at 10:52 PM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 10/4/2010 21:49, Russ Combs wrote:
> >      > * Snort no longer depends on libnet and uses libdnet instead.
> >
> >     yeah, that really means nothing to this poor code jockey other than
> yet another
> >     lib to figure out how to install and get compiled in my
> environment... i can
> >     only imaging what the corporate side maintainers are going to face...
> they have
> >     basically the same things to deal with that i do... i just have the
> chance to be
> >     a step or three ahead of them and make my releases as mods to the
> official
> >     release of the total package...
> >
> > FWIW, libnet is obsolete and increasingly hard to find.  dnet makes
> things
> > easier in that regard.
> i don't know, because i've not gone looking, if our environment even uses
> libnet, TBH... we're using GCC 3.3.5 and glibc 2.3.2 if that means
> anything...
> [time passes]
> the only libnet i find anywhere in our basic source directories seems to be
> win32 related for some package(s) we use that support that environment...
> since
> we're a *nix based environment, that one doesn't do us any good...

libnet is a library.  You may have installed it from a binary package or
built it from a source package but it is not part of the Snort source tree.

> [trim]
> >     AFAIK, we don't use DAQ in our setup... pcap seems to be what we use
> but i've
> >     not dug into the code to determine that... our official releases do
> not use any
> >     compile time options at all... then again, our FOSS stuff is aimed at
> those
> >     machines that everyone is throwing away because they don't think they
> have any
> >     use left in them... sheesh, we're pulling P4's out of the dumpsters
> these
> >     days... with 1+Gig of RAM and "huge" HDs where we only need ~10G of
> HD space...
> >
> > With 2.9.0, you *must* use the DAQ.  By default, you will wind up using a
> pcap
> > DAQ, but the DAQ is a separate package that must be installed.  This is
> new for
> > 2.9.0.
> ugh! when does the madness end? :lol: i'll have to see if i can hunt up the
> archive for that... hopefully it is available at
> www.snort.org/ports/snort-current/

You can find it here, along with Snort:

> > Also, the NFQ and IPQ DAQs require libdnet, but so does Snort 2.9.0.
> this begs the question of why DAQ wasn't included in the 2.9.0 archive so
> that
> one only need grab that one archive, untar it and DAQ be available in the
> 2.9.0
> source tree... it sure would make things a *lot* easier :?

It would make things a tad easier for Snort installs but the DAQ is a
generic solution to packet acquisition problems and is packaged separately
so that it may find a life of its own.

> this release really should be 3.something instead of 2.9 with changes like
> these... but all we can do it either keep trying to move forward or dump
> snort
> in the bitbucket and find something else :? that's not my call so all i can
> do
> is try to keep beating snort into submission in my environment... it may
> very
> well turn out that it gets dumped if we can't get 2.9.0 working and
> especially
> if the rules updates get EOLed and leave our users with no rules to use...

If you want to roll your own, I recommend you start with the DAQ ...  :)

> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101005/3b734124/attachment.html>

More information about the Snort-users mailing list