[Snort-users] [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0

Joel Esler jesler at ...1935...
Sat Nov 5 17:14:42 EDT 2011


I've forwarded this to the bugs team.

J

On Nov 5, 2011, at 4:35 PM, carlopmart wrote:

> Hi all,
> 
> I am trying to install snort 2.9.1.2 under an OpenBSD 5.0 server, but exists several problems. First, during compilation, console display a lot of errors, but the most common is:
> 
> *** Warning: This system can not link to static lib archive /opt/soft/daq/lib/libdaq_static.la.
> *** I have the capability to make that library automatically link in when
> *** you link to this library.  But I can only do this if you have a
> *** shared version of the library, which you do not appear to have.
> *** But as you try to build a module library, libtool will still create
> *** a static module, that should work as long as the dlopening application
> *** is linked with the -dlopen flag to resolve symbols at runtime.
> 
> .. adn others like this on every preprocessor:
> 
> In file included from ../include/sf_ip.h:36,
>                 from ../include/sfPolicy.h:24,
>                 from ../include/sfPolicyUserData.c:27:
> /usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list
> /usr/include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what you want
> /usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list
> 
> After that, and trying a minimal configuration, some preprocessors are disabled due to problems with the compilation process:
> 
> 
> snort[15646]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(64) Unknown preprocessor: "ftp_telnet".
> 
> snort[8522]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(140) Unknown preprocessor: "smtp".
> 
> snort[23671]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(148) Unknown preprocessor: "ssh".
> 
> snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "ssl".
> 
> snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "dcerpc2"
> 
> ... and others like dns preprocessor, too ...
> 
> After disabling all these preprocessors, and all rules associated, it seems that all works (only with 10 rules):
> 
> Nov  5 20:32:40 eorlingas snort[31702]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
> Nov  5 20:32:40 eorlingas snort[31702]: Verifying Preprocessor Configurations!
> Nov  5 20:32:40 eorlingas snort[31702]: ICMP tracking disabled, no ICMP sessions allocated
> Nov  5 20:32:40 eorlingas snort[31702]:
> Nov  5 20:32:40 eorlingas snort[31702]: [ Port Based Pattern Matching Memory ]
> Nov  5 20:32:40 eorlingas snort[31702]: +- [ Aho-Corasick Summary ] -------------------------------------
> Nov  5 20:32:40 eorlingas snort[31702]: | Storage Format    : Full-Q
> Nov  5 20:32:40 eorlingas snort[31702]: | Finite Automaton  : DFA
> Nov  5 20:32:40 eorlingas snort[31702]: | Alphabet Size     : 256 Chars
> Nov  5 20:32:40 eorlingas snort[31702]: | Sizeof State      : Variable (1,2,4 bytes)
> Nov  5 20:32:40 eorlingas snort[31702]: | Instances         : 6
> Nov  5 20:32:40 eorlingas snort[31702]: |     1 byte states : 6
> Nov  5 20:32:40 eorlingas snort[31702]: |     2 byte states : 0
> Nov  5 20:32:40 eorlingas snort[31702]: |     4 byte states : 0
> Nov  5 20:32:40 eorlingas snort[31702]: | Characters        : 239
> Nov  5 20:32:40 eorlingas snort[31702]: | States            : 223
> Nov  5 20:32:40 eorlingas snort[31702]: | Transitions       : 1022
> Nov  5 20:32:40 eorlingas snort[31702]: | State Density     : 1.8%
> Nov  5 20:32:40 eorlingas snort[31702]: | Patterns          : 15
> Nov  5 20:32:40 eorlingas snort[31702]: | Match States      : 14
> Nov  5 20:32:40 eorlingas snort[31702]: | Memory (KB)       : 71.27
> Nov  5 20:32:40 eorlingas snort[31702]: |   Pattern         : 1.17
> Nov  5 20:32:40 eorlingas snort[31702]: |   Match Lists     : 1.66
> Nov  5 20:32:40 eorlingas snort[31702]: |   DFA
> Nov  5 20:32:40 eorlingas snort[31702]: |     1 byte states : 57.06
> Nov  5 20:32:40 eorlingas snort[31702]: |     2 byte states : 0.00
> Nov  5 20:32:40 eorlingas snort[31702]: |     4 byte states : 0.00
> Nov  5 20:32:40 eorlingas snort[31702]: +----------------------------------------------------------------
> Nov  5 20:32:40 eorlingas snort[31702]: [ Number of patterns truncated to 20 bytes: 3 ]
> Nov  5 20:32:40 eorlingas snort[31702]:
> Nov  5 20:32:40 eorlingas snort[31702]: Packet Performance Monitor Config:
> Nov  5 20:32:40 eorlingas snort[31702]:   ticks per usec  : 2217 ticks
> Nov  5 20:32:40 eorlingas snort[31702]:   max packet time : 10000 usecs
> Nov  5 20:32:40 eorlingas snort[31702]:   packet action   :
> Nov  5 20:32:40 eorlingas snort[31702]: fastpath-expensive-packets
> Nov  5 20:32:40 eorlingas snort[31702]:   packet logging  : log
> Nov  5 20:32:40 eorlingas snort[31702]:   debug-pkts      : disabled
> Nov  5 20:32:40 eorlingas snort[31702]: pcap DAQ configured to passive.
> Nov  5 20:32:40 eorlingas snort[31702]: Acquiring network traffic from "em9".
> Nov  5 20:32:40 eorlingas snort[31702]: Initializing daemon mode
> Nov  5 20:32:40 eorlingas snort[29023]: Daemon initialized, signaled parent pid: 31702
> Nov  5 20:32:40 eorlingas snort[29023]: Reload thread starting...
> Nov  5 20:32:40 eorlingas snort[29023]: Reload thread started, thread 0x87cd8800 (29023)
> Nov  5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Starting...
> Nov  5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Started, thread 0x8929cc00 (29023)
> Nov  5 20:32:40 eorlingas snort[29023]: Decoding Ethernet
> Nov  5 20:32:40 eorlingas snort[29023]: Checking PID path...
> Nov  5 20:32:40 eorlingas snort[29023]: PID path stat checked out ok, PID path set to /var/run/
> Nov  5 20:32:40 eorlingas snort[29023]: Writing PID "29023" to file "/var/run//snort_em9.pid"
> 
> 
> 
> Nov  5 20:32:48 eorlingas snort[29023]:
> Nov  5 20:32:48 eorlingas snort[29023]:         --== Initialization Complete ==--
> Nov  5 20:32:48 eorlingas snort[29023]: Commencing packet processing (pid=29023)
> 
> .. But it is really hard to work with these few preprocessors ... What snort version works well with OpenBSD??
> 
> Thanks.
> 
> 
> -- 
> CL Martinez
> carlopmart {at} gmail {d0t} com
> 
> -- 
> To post to this group, send email to snortusers at ...14071...
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-users mailing list