[Snort-users] MySQL support for Snort 2.9.4

Kaya Saman kayasaman at ...11827...
Mon Dec 10 21:28:12 EST 2012


On 12/11/2012 02:22 AM, Jeremy Hoel wrote:
> yes.. you can use ipvar for just ipv4 only.
>
> Now that I'm in front on a computer.. I see I may have over simplified
> something..
>
> You have preprocessor stanszas in your config (frag, stream, ftp,
> smtp, etc).. so you need to have those preprocessors loaded.  When you
> mentioned the folder they had been looking for was empty, did you by
> chance look for them in another folder?

I finally found the information and it's all where it's supposed to be.

>
> You are using OpenBSD 5.2 SPARC64 and I haven't used that, so it could
> be they got installed somewhere else.
>
> did you install from source or from the package manager?

Installed from source as OpenBSD doesn't yet "officially" support 
version 2.9.x

I am using Daq version 2.0.0 from my first test with Snort 2.9.4 - could 
this be the issue? Should I downgrade to 1.1.1?

However, the install went ok with no errors at all from Snorts point of 
view!

>
>
> On Mon, Dec 10, 2012 at 7:14 PM, Kaya Saman <kayasaman at ...11827...> wrote:
>> On 12/11/2012 02:07 AM, Jeremy Hoel wrote:
>>> yes.. it could be.  If you have no files there then you can comment those
>>> out.
>>>
>>> And you can use ipvar for ipv4 only.. that's not a problem, I jsut
>>> didn't know if you have var or ipvar before and if you planned on
>>> using ipv6 (that preprocessor was v6)
>>
>> Ok first quick question, can ipvar be used for both ipv4 and ipv6?
>>
>> Also after commenting the two preprocessor lines out:
>>
>>
>> # path to dynamic preprocessor libraries
>> #dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>
>>
>> # path to base preprocessor engine
>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>
>> # path to dynamic rules libraries
>> #dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>
>>
>>
>> I get this:
>>
>> ERROR: /etc/snort/snort.conf(337) Unknown preprocessor: "ftp_telnet".
>>
>> Something still isn't right??
>>
>>
>>
>>> On Mon, Dec 10, 2012 at 6:52 PM, Kaya Saman <kayasaman at ...11827...> wrote:
>>>> On 12/11/2012 01:41 AM, Jeremy Hoel wrote:
>>>>
>>>> Without looking at the Google's, normally preprocessor errors are missing
>>>> files.  Look in your snort conf and make sure the paths to the
>>>> preprocessors
>>>> are correct.
>>>>
>>>> And if you are using ipv6 addresses make sure you use ipvar vs var in
>>>> snort
>>>> conf.
>>>>
>>>>
>>>> Hmm.... this is interesting.
>>>>
>>>> I reverted my config back from ipvar to var since I'm using IPv4.
>>>>
>>>> The libraries are setup as such:
>>>>
>>>> # path to dynamic preprocessor libraries
>>>> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
>>>>
>>>> # path to base preprocessor engine
>>>> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>>>>
>>>> # path to dynamic rules libraries
>>>> dynamicdetection directory /usr/local/lib/snort_dynamicrules
>>>>
>>>>
>>>> of which they are all there:
>>>>
>>>> # ls /usr/local/lib | grep snort
>>>> snort_dynamicengine
>>>> snort_dynamicpreprocessor
>>>> snort_dynamicrules
>>>>
>>>>
>>>> The rules have been setup as such:
>>>>
>>>> var RULE_PATH ./rules
>>>> var SO_RULE_PATH ./so_rules
>>>> var PREPROC_RULE_PATH ./preproc_rules
>>>>
>>>>
>>>> All the *rules files and directories reside within /etc/snort/ - I have
>>>> also
>>>> attempted to put the full dir path too; /etc/snort/rules etc...
>>>>
>>>> - which didn't yield any difference.
>>>>
>>>>
>>>> I'm not sure what's going on, I don't have anything in the dynamicrules
>>>> or
>>>> dynamicpreprocessor folders though! Could this be the issue?
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Kaya
>>>>
>>>>
>>>>
>>>> On Dec 10, 2012 6:16 PM, "Kaya Saman" <kayasaman at ...11827...> wrote:
>>>>> On 12/11/2012 01:13 AM, beenph wrote:
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Dec 10, 2012 at 8:04 PM, Kaya Saman <kayasaman at ...11827...> wrote:
>>>>>> I've just compiled and installed Barnyard2 now and currently working on
>>>>>> the integration with snort 2.9.3.1.
>>>>>>
>>>>>> I just wonder if I will need to do anything different for my BASE
>>>>>> setup??
>>>>>>
>>>>> No, it uses the same schema and should continue to work as expected,
>>>>> the main difference being that its barnyard2 that feeds the database.
>>>>>
>>>>> -elz
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks for the response!
>>>>>
>>>>> I know I should ask this in a new Subject Heading however I'm getting
>>>>> this
>>>>> error while trying to start Snort:
>>>>>
>>>>> ERROR: Failed to initialize dynamic preprocessor: SF_SSLPP (IPV6)
>>>>> version
>>>>> 1.1.4 (-1)
>>>>>
>>>>> # snort -V
>>>>>
>>>>>      ,,_     -*> Snort! <*-
>>>>>     o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40)
>>>>>      ''''    By Martin Roesch & The Snort Team:
>>>>> http://www.snort.org/snort/snort-team
>>>>>              Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>>>>>              Using libpcap version 1.3.0
>>>>>              Using PCRE version: 8.30 2012-02-04
>>>>>              Using ZLIB version: 1.2.3
>>>>>
>>>>>
>>>>> OS is OpenBSD 5.2 SPARC64
>>>>>
>>>>> Am running: snort -T -i trunk0 -c /etc/snort/snort.conf to start snort
>>>>>
>>>>>
>>>>> Am currently Google'ing it but not getting very far.......
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> Kaya
>>>>





More information about the Snort-users mailing list