[Snort-users] RE : Snort SIP Preprocessor error

Jesse Whyte jesse.whyte at ...15772...
Wed Aug 22 15:30:36 EDT 2012


Thanks.  That seemed to do it.  It looks like "apt-get purge snort-mysql"
left the library directories for the packaged version of snort that
obviously didn't mesh well with my hand-compiled version.  Once I manually
wiped out the /usr/lib/snort* directories and changed the config to point
to the new libraries in /usr/local/lib, everything worked fine.

On Wed, Aug 22, 2012 at 4:51 PM, rmkml <rmkml at ...1855...> wrote:

> Thx Jesse,
> maybe removed snort-mysql not working correctly,
> can you try remove snort lib directory manually?
> and again run snort make install?
> Regards
> Rmkml
>
>
>
> On Wed, 22 Aug 2012, Jesse Whyte wrote:
>
>  Rmkml,
>>
>> I did.  I had the Ubuntu package snort-mysql installed, but I did an
>> "apt-get remove snort-mysql" prior to installing the hand compiled version.
>> Thanks,
>>
>> Jesse
>>
>> On Wed, Aug 22, 2012 at 12:43 PM, rmkml at ...1855... <rmkml at ...1855...> wrote:
>>       Hi Jesse,Do you have previously installed snort please ?
>>
>> Regards
>> Rmkml
>>
>>
>>
>> Jesse Whyte a écrit :
>>
>> List members,
>> I've successfully compiled snort 2.9.3.1 on an Ubuntu 12.04 box running
>> kernel version 3.2.0-29.  I'm trying to hand-compile from source rather
>> than use the packaged version.  The configure appears to execute
>> successfully, as does the make.  After configuring oinkmaster and running
>> snort with generic rules, I'm encountering the following strange error:
>>
>> Running in IDS mode
>>
>>         --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file "/etc/snort/snort.conf"
>> PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1830
>> 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118
>> 8123 8180:8181 8243 8280 8888 9
>> 090:9091 9443 9999 11371 ]
>> PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
>> PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
>> PortVar 'SSH_PORTS' defined :  [ 22 ]
>> PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
>> PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
>> Detection:
>>    Search-Method = AC-Full-Q
>>     Split Any/Any group = enabled
>>     Search-Method-Optimizations = enabled
>>     Maximum pattern length = 20
>> Tagged Packet Limit: 256
>> Loading dynamic engine /usr/lib/snort_dynamicengine/**libsf_engine.so...
>> done
>> Loading all dynamic preprocessor libs from /usr/lib/snort_**
>> dynamicpreprocessor/...
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**modbus_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**reputation_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**pop_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**dnp3_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**ssl_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**sdf_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**dce2_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**gtp_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**ssh_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**imap_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**smtp_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**dns_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**ftptelnet_preproc.so... done
>>   Loading dynamic preprocessor library /usr/lib/snort_**
>> dynamicpreprocessor//libsf_**sip_preproc.so... done
>>   Finished Loading all dynamic preprocessor libs from /usr/lib/snort_**
>> dynamicpreprocessor/
>> Log directory = /var/log/snort
>> WARNING: ip4 normalizations disabled because not inline.
>> WARNING: tcp normalizations disabled because not inline.
>> WARNING: icmp4 normalizations disabled because not inline.
>> WARNING: ip6 normalizations disabled because not inline.
>> WARNING: icmp6 normalizations disabled because not inline.
>> Frag3 global config:
>>     Max frags: 65536
>>     Fragment memory cap: 4194304 bytes
>> Frag3 engine config:
>>     Bound Address: default
>>     Target-based policy: WINDOWS
>>     Fragment timeout: 180 seconds
>>     Fragment min_ttl:   1
>>     Fragment Anomalies: Alert
>>     Overlap Limit:     10
>>     Min fragment Length:     100
>> Stream5 global config:
>>     Track TCP sessions: ACTIVE
>>     Max TCP sessions: 262144
>>     Memcap (for reassembly packet storage): 8388608
>>     Track UDP sessions: ACTIVE
>>     Max UDP sessions: 131072
>>     Track ICMP sessions: INACTIVE
>>     Track IP sessions: INACTIVE
>>     Log info if session memory consumption exceeds 1048576
>>     Send up to 2 active responses
>>     Wait at least 5 seconds between responses
>>     Protocol Aware Flushing: ACTIVE
>>         Maximum Flush Point: 16384
>> Stream5 TCP Policy config:
>>     Bound Address: default
>>     Reassembly Policy: WINDOWS
>>     Timeout: 180 seconds
>>     Limit on TCP Overlaps: 10
>>     Maximum number of bytes to queue per session: 1048576
>>     Maximum number of segs to queue per session: 2621
>>     Options:
>>         Require 3-Way Handshake: YES
>>         3-Way Handshake Timeout: 180
>>         Detect Anomalies: YES
>>     Reassembly Ports:
>>       21 client (Footprint)
>>       22 client (Footprint)
>>       23 client (Footprint)
>>       25 client (Footprint)
>>       42 client (Footprint)
>>       53 client (Footprint)
>>       79 client (Footprint)
>>       80 client (Footprint) server (Footprint)
>>       81 client (Footprint) server (Footprint)
>>       109 client (Footprint)
>>       110 client (Footprint)
>>       111 client (Footprint)
>>       113 client (Footprint)
>>       119 client (Footprint)
>>       135 client (Footprint)
>>       136 client (Footprint)
>>       137 client (Footprint)
>>       139 client (Footprint)
>>       143 client (Footprint)
>>       161 client (Footprint)
>>       additional ports configured but not printed.
>> Stream5 UDP Policy config:
>>     Timeout: 180 seconds
>> HttpInspect Config:
>>     GLOBAL CONFIG
>>       Max Pipeline Requests:    0
>>       Inspection Type:          STATELESS
>>       Detect Proxy Usage:       NO
>>       IIS Unicode Map Filename: /etc/snort/unicode.map
>>       IIS Unicode Map Codepage: 1252
>>       Memcap used for logging URI and Hostname: 150994944
>>       Max Gzip Memory: 838860
>>       Max Gzip Sessions: 9532
>>       Gzip Compress Depth: 65535
>>       Gzip Decompress Depth: 65535
>>     DEFAULT SERVER CONFIG:
>>       Server profile: All
>>       Ports (PAF): 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809
>> 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181
>> 8243 8280 8888 9090 9091 9443 9999 11371
>>       Server Flow Depth: 0
>>       Client Flow Depth: 0
>>       Max Chunk Length: 500000
>>       Max Header Field Length: 750
>>       Max Number Header Fields: 100
>>       Max Number of WhiteSpaces allowed with header folding: 200
>>       Inspect Pipeline Requests: YES
>>       URI Discovery Strict Mode: NO
>>       Allow Proxy Usage: NO
>>       Disable Alerting: NO
>>       Oversize Dir Length: 500
>>       Only inspect URI: NO
>>       Normalize HTTP Headers: NO
>>       Inspect HTTP Cookies: YES
>>       Inspect HTTP Responses: YES
>>       Extract Gzip from responses: YES
>>       Unlimited decompression of gzip data from responses: YES
>>       Normalize Javascripts in HTTP Responses: NO
>>       Normalize HTTP Cookies: NO
>>       Enable XFF and True Client IP: NO
>>       Log HTTP URI data: NO
>>       Log HTTP Hostname data: NO
>>       Extended ASCII code support in URI: NO
>>       Ascii: YES alert: NO
>>       Double Decoding: YES alert: NO
>>       %U Encoding: YES alert: YES
>>       Bare Byte: YES alert: NO
>>       UTF 8: YES alert: NO
>>       IIS Unicode: YES alert: NO
>>       Multiple Slash: YES alert: NO
>>       IIS Backslash: YES alert: NO
>>       Directory Traversal: YES alert: NO
>>       Web Root Traversal: YES alert: NO
>>       Apache WhiteSpace: YES alert: NO
>>       IIS Delimiter: YES alert: NO
>>       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>>       Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06
>> 0x07
>>       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>> rpc_decode arguments:
>>     Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775 32776
>> 32777 32778 32779
>>     alert_fragments: INACTIVE
>>     alert_large_fragments: INACTIVE
>>     alert_incomplete: INACTIVE
>>     alert_multiple_requests: INACTIVE
>> ERROR size 440 != 432
>> ERROR: Failed to initialize dynamic preprocessor: SF_SIP (IPV6) version
>> 1.1.1 (-2)
>> Fatal Error, Quitting..
>>
>> Everything looks fairly normal.  The snort.conf file is basically stock.
>>  As a first step in trying to isolate the problem, I disabled the sip
>> preprocessor with the following lines in the config file:
>>
>> # SIP Session Initiation Protocol preprocessor.  For more information see
>> README.sip
>> preprocessor sip: max_sessions 10000, \
>>    disabled
>> #   ports { 5060 5061 5600 }, \
>> #   methods { invite \
>> #             cancel \
>> #             ack \
>> #             bye \
>> #             register \
>> #             options \
>> #             refer \
>> #             subscribe \
>> #             update \
>> #             join \
>> #             info \
>> #             message \
>> #             notify \
>> #             benotify \
>> #             do \
>> #             qauth \
>> #             sprack \
>> #             publish \
>> #             service \
>> #             unsubscribe \
>> #             prack }, \
>> #   max_uri_len 512, \
>> #   max_call_id_len 80, \
>> #   max_requestName_len 20, \
>> #   max_from_len 256, \
>> #   max_to_len 256, \
>> #   max_via_len 1024, \
>> #   max_contact_len 512, \
>> #   max_content_len 1024
>>
>> (Whereas previously, I had the standard preprocessor config.)  Disabling
>> the processor as above did not change the snort output.  There does not
>> seem to be anything in the configure output that seems to indicate
>> problems with SIP.  Can anyone offer any insight into this issue?
>>
>> Many thanks,
>>
>> Jesse Whyte
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120822/58911076/attachment.html>


More information about the Snort-users mailing list