[Snort-users] [Snort-Users] Several problems with snort 2.9.1.2 under OpenBSD 5.0

Joel Esler jesler at ...1935...
Sat Nov 5 17:30:48 EDT 2011


Did you read doc/INSTALL and the notes related to Open BSD and loading the correct preprocessor libraries? The .so's don't get created the same way they do on linux and there are notes related to that.

We haven't tested Snort 2.9.x on OpenBSD 5.0, as that just released earlier this week (Nov 1).  Official testing on 2.9.1 was on OpenBSD 4.8 and 2.9.2 is on OpenBSD 4.9.

J

On Nov 5, 2011, at 4:35 PM, carlopmart wrote:

> Hi all,
> 
> I am trying to install snort 2.9.1.2 under an OpenBSD 5.0 server, but exists several problems. First, during compilation, console display a lot of errors, but the most common is:
> 
> *** Warning: This system can not link to static lib archive /opt/soft/daq/lib/libdaq_static.la.
> *** I have the capability to make that library automatically link in when
> *** you link to this library.  But I can only do this if you have a
> *** shared version of the library, which you do not appear to have.
> *** But as you try to build a module library, libtool will still create
> *** a static module, that should work as long as the dlopening application
> *** is linked with the -dlopen flag to resolve symbols at runtime.
> 
> .. adn others like this on every preprocessor:
> 
> In file included from ../include/sf_ip.h:36,
>                 from ../include/sfPolicy.h:24,
>                 from ../include/sfPolicyUserData.c:27:
> /usr/include/arpa/inet.h:74: warning: 'struct in_addr' declared inside parameter list
> /usr/include/arpa/inet.h:74: warning: its scope is only this definition or declaration, which is probably not what you want
> /usr/include/arpa/inet.h:75: warning: 'struct in_addr' declared inside parameter list
> 
> After that, and trying a minimal configuration, some preprocessors are disabled due to problems with the compilation process:
> 
> 
> snort[15646]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(64) Unknown preprocessor: "ftp_telnet".
> 
> snort[8522]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(140) Unknown preprocessor: "smtp".
> 
> snort[23671]: FATAL ERROR: /opt/config/etc/snort-common/snort.conf(148) Unknown preprocessor: "ssh".
> 
> snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "ssl".
> 
> snort[29740]: FATAL ERROR: /opt/config/etc/snort-prod/prod_ids.conf(93) Unknown preprocessor: "dcerpc2"
> 
> ... and others like dns preprocessor, too ...
> 
> After disabling all these preprocessors, and all rules associated, it seems that all works (only with 10 rules):
> 
> Nov  5 20:32:40 eorlingas snort[31702]: Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
> Nov  5 20:32:40 eorlingas snort[31702]: Verifying Preprocessor Configurations!
> Nov  5 20:32:40 eorlingas snort[31702]: ICMP tracking disabled, no ICMP sessions allocated
> Nov  5 20:32:40 eorlingas snort[31702]:
> Nov  5 20:32:40 eorlingas snort[31702]: [ Port Based Pattern Matching Memory ]
> Nov  5 20:32:40 eorlingas snort[31702]: +- [ Aho-Corasick Summary ] -------------------------------------
> Nov  5 20:32:40 eorlingas snort[31702]: | Storage Format    : Full-Q
> Nov  5 20:32:40 eorlingas snort[31702]: | Finite Automaton  : DFA
> Nov  5 20:32:40 eorlingas snort[31702]: | Alphabet Size     : 256 Chars
> Nov  5 20:32:40 eorlingas snort[31702]: | Sizeof State      : Variable (1,2,4 bytes)
> Nov  5 20:32:40 eorlingas snort[31702]: | Instances         : 6
> Nov  5 20:32:40 eorlingas snort[31702]: |     1 byte states : 6
> Nov  5 20:32:40 eorlingas snort[31702]: |     2 byte states : 0
> Nov  5 20:32:40 eorlingas snort[31702]: |     4 byte states : 0
> Nov  5 20:32:40 eorlingas snort[31702]: | Characters        : 239
> Nov  5 20:32:40 eorlingas snort[31702]: | States            : 223
> Nov  5 20:32:40 eorlingas snort[31702]: | Transitions       : 1022
> Nov  5 20:32:40 eorlingas snort[31702]: | State Density     : 1.8%
> Nov  5 20:32:40 eorlingas snort[31702]: | Patterns          : 15
> Nov  5 20:32:40 eorlingas snort[31702]: | Match States      : 14
> Nov  5 20:32:40 eorlingas snort[31702]: | Memory (KB)       : 71.27
> Nov  5 20:32:40 eorlingas snort[31702]: |   Pattern         : 1.17
> Nov  5 20:32:40 eorlingas snort[31702]: |   Match Lists     : 1.66
> Nov  5 20:32:40 eorlingas snort[31702]: |   DFA
> Nov  5 20:32:40 eorlingas snort[31702]: |     1 byte states : 57.06
> Nov  5 20:32:40 eorlingas snort[31702]: |     2 byte states : 0.00
> Nov  5 20:32:40 eorlingas snort[31702]: |     4 byte states : 0.00
> Nov  5 20:32:40 eorlingas snort[31702]: +----------------------------------------------------------------
> Nov  5 20:32:40 eorlingas snort[31702]: [ Number of patterns truncated to 20 bytes: 3 ]
> Nov  5 20:32:40 eorlingas snort[31702]:
> Nov  5 20:32:40 eorlingas snort[31702]: Packet Performance Monitor Config:
> Nov  5 20:32:40 eorlingas snort[31702]:   ticks per usec  : 2217 ticks
> Nov  5 20:32:40 eorlingas snort[31702]:   max packet time : 10000 usecs
> Nov  5 20:32:40 eorlingas snort[31702]:   packet action   :
> Nov  5 20:32:40 eorlingas snort[31702]: fastpath-expensive-packets
> Nov  5 20:32:40 eorlingas snort[31702]:   packet logging  : log
> Nov  5 20:32:40 eorlingas snort[31702]:   debug-pkts      : disabled
> Nov  5 20:32:40 eorlingas snort[31702]: pcap DAQ configured to passive.
> Nov  5 20:32:40 eorlingas snort[31702]: Acquiring network traffic from "em9".
> Nov  5 20:32:40 eorlingas snort[31702]: Initializing daemon mode
> Nov  5 20:32:40 eorlingas snort[29023]: Daemon initialized, signaled parent pid: 31702
> Nov  5 20:32:40 eorlingas snort[29023]: Reload thread starting...
> Nov  5 20:32:40 eorlingas snort[29023]: Reload thread started, thread 0x87cd8800 (29023)
> Nov  5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Starting...
> Nov  5 20:32:40 eorlingas snort[29023]: Attribute Table Reload Thread Started, thread 0x8929cc00 (29023)
> Nov  5 20:32:40 eorlingas snort[29023]: Decoding Ethernet
> Nov  5 20:32:40 eorlingas snort[29023]: Checking PID path...
> Nov  5 20:32:40 eorlingas snort[29023]: PID path stat checked out ok, PID path set to /var/run/
> Nov  5 20:32:40 eorlingas snort[29023]: Writing PID "29023" to file "/var/run//snort_em9.pid"
> 
> 
> 
> Nov  5 20:32:48 eorlingas snort[29023]:
> Nov  5 20:32:48 eorlingas snort[29023]:         --== Initialization Complete ==--
> Nov  5 20:32:48 eorlingas snort[29023]: Commencing packet processing (pid=29023)
> 
> .. But it is really hard to work with these few preprocessors ... What snort version works well with OpenBSD??
> 
> Thanks.
> 
> 
> -- 
> CL Martinez
> carlopmart {at} gmail {d0t} com
> 
> -- 
> To post to this group, send email to snortusers at ...14071...
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-users mailing list