[Snort-users] MySQL support for Snort 2.9.4

Kaya Saman kayasaman at ...11827...
Mon Dec 10 21:14:10 EST 2012


On 12/11/2012 02:07 AM, Jeremy Hoel wrote:
> yes.. it could be.  If you have no files there then you can comment those out.
>
> And you can use ipvar for ipv4 only.. that's not a problem, I jsut
> didn't know if you have var or ipvar before and if you planned on
> using ipv6 (that preprocessor was v6)

Ok first quick question, can ipvar be used for both ipv4 and ipv6?

Also after commenting the two preprocessor lines out:

# path to dynamic preprocessor libraries
#dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
#dynamicdetection directory /usr/local/lib/snort_dynamicrules



I get this:

ERROR: /etc/snort/snort.conf(337) Unknown preprocessor: "ftp_telnet".

Something still isn't right??


>
> On Mon, Dec 10, 2012 at 6:52 PM, Kaya Saman <kayasaman at ...11827...> wrote:
>> On 12/11/2012 01:41 AM, Jeremy Hoel wrote:
>>
>> Without looking at the Google's, normally preprocessor errors are missing
>> files.  Look in your snort conf and make sure the paths to the preprocessors
>> are correct.
>>
>> And if you are using ipv6 addresses make sure you use ipvar vs var in snort
>> conf.
>>
>>
>> Hmm.... this is interesting.
>>
>> I reverted my config back from ipvar to var since I'm using IPv4.
>>
>> The libraries are setup as such:
>>
>> # path to dynamic preprocessor libraries
>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>
>> # path to base preprocessor engine
>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>
>> # path to dynamic rules libraries
>> dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>
>>
>> of which they are all there:
>>
>> # ls /usr/local/lib | grep snort
>> snort_dynamicengine
>> snort_dynamicpreprocessor
>> snort_dynamicrules
>>
>>
>> The rules have been setup as such:
>>
>> var RULE_PATH ./rules
>> var SO_RULE_PATH ./so_rules
>> var PREPROC_RULE_PATH ./preproc_rules
>>
>>
>> All the *rules files and directories reside within /etc/snort/ - I have also
>> attempted to put the full dir path too; /etc/snort/rules etc...
>>
>> - which didn't yield any difference.
>>
>>
>> I'm not sure what's going on, I don't have anything in the dynamicrules or
>> dynamicpreprocessor folders though! Could this be the issue?
>>
>>
>> Regards,
>>
>>
>> Kaya
>>
>>
>>
>> On Dec 10, 2012 6:16 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>>> On 12/11/2012 01:13 AM, beenph wrote:
>>>
>>>
>>>
>>> On Mon, Dec 10, 2012 at 8:04 PM, Kaya Saman <kayasaman at ...11827...> wrote:
>>>> I've just compiled and installed Barnyard2 now and currently working on
>>>> the integration with snort 2.9.3.1.
>>>>
>>>> I just wonder if I will need to do anything different for my BASE
>>>> setup??
>>>>
>>> No, it uses the same schema and should continue to work as expected,
>>> the main difference being that its barnyard2 that feeds the database.
>>>
>>> -elz
>>>
>>>
>>>
>>>
>>>
>>> Thanks for the response!
>>>
>>> I know I should ask this in a new Subject Heading however I'm getting this
>>> error while trying to start Snort:
>>>
>>> ERROR: Failed to initialize dynamic preprocessor: SF_SSLPP (IPV6) version
>>> 1.1.4 (-1)
>>>
>>> # snort -V
>>>
>>>     ,,_     -*> Snort! <*-
>>>    o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)
>>>     ''''    By Martin Roesch & The Snort Team:
>>> http://www.snort.org/snort/snort-team
>>>             Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>>             Using libpcap version 1.3.0
>>>             Using PCRE version: 8.30 2012-02-04
>>>             Using ZLIB version: 1.2.3
>>>
>>>
>>> OS is OpenBSD 5.2 SPARC64
>>>
>>> Am running: snort -T -i trunk0 -c /etc/snort/snort.conf to start snort
>>>
>>>
>>> Am currently Google'ing it but not getting very far.......
>>>
>>>
>>> Regards,
>>>
>>>
>>> Kaya
>>





More information about the Snort-users mailing list