[Snort-users] MySQL support for Snort 2.9.4

Jeremy Hoel jthoel at ...11827...
Mon Dec 10 21:22:25 EST 2012


yes.. you can use ipvar for just ipv4 only.

Now that I'm in front on a computer.. I see I may have over simplified
something..

You have preprocessor stanszas in your config (frag, stream, ftp,
smtp, etc).. so you need to have those preprocessors loaded.  When you
mentioned the folder they had been looking for was empty, did you by
chance look for them in another folder?

You are using OpenBSD 5.2 SPARC64 and I haven't used that, so it could
be they got installed somewhere else.

did you install from source or from the package manager?


On Mon, Dec 10, 2012 at 7:14 PM, Kaya Saman <kayasaman at ...11827...> wrote:
> On 12/11/2012 02:07 AM, Jeremy Hoel wrote:
>>
>> yes.. it could be.  If you have no files there then you can comment those
>> out.
>>
>> And you can use ipvar for ipv4 only.. that's not a problem, I jsut
>> didn't know if you have var or ipvar before and if you planned on
>> using ipv6 (that preprocessor was v6)
>
>
> Ok first quick question, can ipvar be used for both ipv4 and ipv6?
>
> Also after commenting the two preprocessor lines out:
>
>
> # path to dynamic preprocessor libraries
> #dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>
>
> # path to base preprocessor engine
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
> # path to dynamic rules libraries
> #dynamicdetection directory /usr/local/lib/snort_dynamicrules
>
>
>
> I get this:
>
> ERROR: /etc/snort/snort.conf(337) Unknown preprocessor: "ftp_telnet".
>
> Something still isn't right??
>
>
>
>>
>> On Mon, Dec 10, 2012 at 6:52 PM, Kaya Saman <kayasaman at ...11827...> wrote:
>>>
>>> On 12/11/2012 01:41 AM, Jeremy Hoel wrote:
>>>
>>> Without looking at the Google's, normally preprocessor errors are missing
>>> files.  Look in your snort conf and make sure the paths to the
>>> preprocessors
>>> are correct.
>>>
>>> And if you are using ipv6 addresses make sure you use ipvar vs var in
>>> snort
>>> conf.
>>>
>>>
>>> Hmm.... this is interesting.
>>>
>>> I reverted my config back from ipvar to var since I'm using IPv4.
>>>
>>> The libraries are setup as such:
>>>
>>> # path to dynamic preprocessor libraries
>>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>>
>>> # path to base preprocessor engine
>>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>
>>> # path to dynamic rules libraries
>>> dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>>
>>>
>>> of which they are all there:
>>>
>>> # ls /usr/local/lib | grep snort
>>> snort_dynamicengine
>>> snort_dynamicpreprocessor
>>> snort_dynamicrules
>>>
>>>
>>> The rules have been setup as such:
>>>
>>> var RULE_PATH ./rules
>>> var SO_RULE_PATH ./so_rules
>>> var PREPROC_RULE_PATH ./preproc_rules
>>>
>>>
>>> All the *rules files and directories reside within /etc/snort/ - I have
>>> also
>>> attempted to put the full dir path too; /etc/snort/rules etc...
>>>
>>> - which didn't yield any difference.
>>>
>>>
>>> I'm not sure what's going on, I don't have anything in the dynamicrules
>>> or
>>> dynamicpreprocessor folders though! Could this be the issue?
>>>
>>>
>>> Regards,
>>>
>>>
>>> Kaya
>>>
>>>
>>>
>>> On Dec 10, 2012 6:16 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>>>>
>>>> On 12/11/2012 01:13 AM, beenph wrote:
>>>>
>>>>
>>>>
>>>> On Mon, Dec 10, 2012 at 8:04 PM, Kaya Saman <kayasaman at ...11827...> wrote:
>>>>>
>>>>> I've just compiled and installed Barnyard2 now and currently working on
>>>>> the integration with snort 2.9.3.1.
>>>>>
>>>>> I just wonder if I will need to do anything different for my BASE
>>>>> setup??
>>>>>
>>>> No, it uses the same schema and should continue to work as expected,
>>>> the main difference being that its barnyard2 that feeds the database.
>>>>
>>>> -elz
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Thanks for the response!
>>>>
>>>> I know I should ask this in a new Subject Heading however I'm getting
>>>> this
>>>> error while trying to start Snort:
>>>>
>>>> ERROR: Failed to initialize dynamic preprocessor: SF_SSLPP (IPV6)
>>>> version
>>>> 1.1.4 (-1)
>>>>
>>>> # snort -V
>>>>
>>>>     ,,_     -*> Snort! <*-
>>>>    o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)
>>>>     ''''    By Martin Roesch & The Snort Team:
>>>> http://www.snort.org/snort/snort-team
>>>>             Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>>>             Using libpcap version 1.3.0
>>>>             Using PCRE version: 8.30 2012-02-04
>>>>             Using ZLIB version: 1.2.3
>>>>
>>>>
>>>> OS is OpenBSD 5.2 SPARC64
>>>>
>>>> Am running: snort -T -i trunk0 -c /etc/snort/snort.conf to start snort
>>>>
>>>>
>>>> Am currently Google'ing it but not getting very far.......
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Kaya
>>>
>>>
>




More information about the Snort-users mailing list