[Snort-users] Cannot install Snort with RPM file.

Jutichai Thongkrachai thsecmaniac at ...11827...
Tue Sep 30 04:07:05 EDT 2014


Hello,

I try to install Snort with RPM file that is in snort.org but I got this
error:


error: Failed dependencies:
        libdnet.1()(64bit) is needed by snort-1:2.9.6.2-1.x86_64
        libpcre.so.0()(64bit) is needed by snort-1:2.9.6.2-1.x86_64


It's strange because in centos 7 , there are:

1. libdnet 1.12 including its devel package
2. pcre 8.32 incliding its devel package

in the system already?


2014-09-29 21:56 GMT+07:00 <snort-users-request at lists.sourceforge.net>:

> Send Snort-users mailing list submissions to
>         snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
>         snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-users-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
> When responding, please don't respond with the entire Digest.  Please trim
> your response.
> Today's Topics:
>
>    1. Re: http_header not working (NIDS TEAM)
>    2. Re: http_header not working (Mitesh Jadia)
>    3. Salir Suscripcion (Dilan Loboa)
>    4. Re: http_header not working (waldo kitty)
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: NIDS TEAM <nidsteam at ...11827...>
> To: "Joel Esler (jesler)" <jesler at ...589...>
> Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Date: Mon, 29 Sep 2014 13:52:20 +0200
> Subject: Re: [Snort-users] http_header not working
> So I just compiled Snort with --enable-sourcefire.
>
> Snort runs with the following rule:
> alert tcp any any <> any any (msg:"TEST HOST alert"; content:"google";
> http_uri; gid:1; sid:99999; rev:2;)
>
> I then do one single request to www.google.com/mail
>
> The following request is visible with Snort (I do not copy all the SYN/ACK
> packets):
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> 09/29-09:03:51.706262 213.156.231.85:38364 -> 173.194.32.210:80
> TCP TTL:64 TOS:0x0 ID:60575 IpLen:20 DgmLen:170 DF
> ***AP*** Seq: 0xE1581B62  Ack: 0x746B8DA  Win: 0x73  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1809643521 4126477955
> 47 45 54 20 2F 6D 61 69 6C 20 48 54 54 50 2F 31  GET /mail HTTP/1
> 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20  .1..User-Agent:
> 57 67 65 74 2F 31 2E 31 33 2E 34 20 28 6C 69 6E  Wget/1.13.4 (lin
> 75 78 2D 67 6E 75 29 0D 0A 41 63 63 65 70 74 3A  ux-gnu)..Accept:
> 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 77 77 77 2E   */*..Host: www.
> 67 6F 6F 67 6C 65 2E 63 6F 6D 0D 0A 43 6F 6E 6E  google.com..Conn
> 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69  ection: Keep-Ali
> 76 65 0D 0A 0D 0A                                ve....
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> The Preprocessor Profile Statistics shows:
>   3              httpinspect     0          2          2
> 4       2.11          0.60         0.60
>
>
> ===============================================================================
> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>     POST methods:                         0
>     GET methods:                          0
>     HTTP Request Headers extracted:       0
>     HTTP Request Cookies extracted:       0
>     Post parameters extracted:            0
>     HTTP response Headers extracted:      0
>     HTTP Response Cookies extracted:      0
>     Unicode:                              0
>     Double unicode:                       0
>     Non-ASCII representable:              0
>     Directory traversals:                 0
>     Extra slashes ("//"):                 0
>     Self-referencing paths ("./"):        0
>     HTTP Response Gzip packets extracted: 0
>     Gzip Compressed Data Processed:       n/a
>     Gzip Decompressed Data Processed:     n/a
>     Total packets processed:              2
>
> It looks like the http_inspect preprocessor doesn't do anything here,
> besides passing the packet.
>
> The http_inspect configuration is identical to:
> http://labs.snort.org/snort/2962/snort.conf
>
>
>
> On Fri, Sep 26, 2014 at 5:50 PM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
>
>> I suggest you compile with —enable-sourcefire.
>>
>> That turns on all the things we usually troubleshoot with.
>>
>>
>> > On Sep 26, 2014, at 11:46 AM, NIDS TEAM <nidsteam at ...11827...> wrote:
>> >
>> > No, but is there any dependency?
>> >
>> > These are the compile flags:
>> >
>> > ./configure \
>> >                 --quiet \
>> >                 --prefix=/opt/snort \
>> >                 --enable-static=no \
>> >                 --with-libpcap-includes=/opt/snort/include \
>> >                 --with-libpcap-libraries=/opt/snort/lib \
>> >                 --with-dnet-includes=/opt/snort/include \
>> >                 --with-dnet-libraries=/opt/snort/lib \
>> >                 --with-daq-includes=/opt/snort/include \
>> >                 --with-daq-libraries=/opt/snort/lib \
>> >                 --enable-reload \
>> >                 --enable-reload-error-restart \
>> >                 --enable-normalizer
>> >
>> >
>> >
>>
>>
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: Mitesh Jadia <mitesh.jadia at ...11827...>
> To: NIDS TEAM <nidsteam at ...11827...>
> Cc: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net
> >
> Date: Mon, 29 Sep 2014 19:10:55 +0530
> Subject: Re: [Snort-users] http_header not working
> Hello,
>
> As per my understanding...
>
> Following signature
> alert ip any any -> any any (content:"test"; http_header; msg:"Test
> Signature"; sid:"9999998"; rev:1);
> will not trigger because  content "test"  in your GET request will not be
> the part of http_header field. http_uri and http_raw_uri are proper
> keywords to match this content.
>
>
> alert ip any any -> any any (content:"test"; http_uri; msg:"Test
> Signature"; sid:"9999997"; rev:1);
> Logically you should use  'alert tcp'  for this signature.  However with
> alert ip this signature is working for me here.
>
>
> On Fri, Sep 26, 2014 at 5:59 PM, NIDS TEAM <nidsteam at ...11827...> wrote:
>
>> Hi
>>
>> I just encounter a problem with the http_* keywords in Snort rules. There
>> is a GET request to www.anywebsite.com/test
>>
>> The following signature triggers:
>> alert ip any any -> any any (content:"test"; msg:"Test Signature";
>> sid:"9999999"; rev:1);
>>
>> The following signatures do not:
>> alert ip any any -> any any (content:"test"; http_header; msg:"Test
>> Signature"; sid:"9999998"; rev:1);
>> alert ip any any -> any any (content:"test"; http_uri; msg:"Test
>> Signature"; sid:"9999997"; rev:1);
>>
>> Does anyone have an idea why?
>>
>> I tested the behaviour with:
>> - Security Onion - Snort 2.9.5.6
>>   Default shipped configuration plus the above rules
>> - Ubuntu Snort download off the shelf - Snort 2.9.6.0
>> - Latest and greatest compiled - Snort 2.9.6.2
>>
>> There is always the same behaviour.
>>
>> Thanks already
>> guido
>>
>>
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: Dilan Loboa <dilan1396 at ...11827...>
> To: snort-users-request at lists.sourceforge.net,
> snort-users-owner at lists.sourceforge.net, snort-users at lists.sourceforge.net
> Cc:
> Date: Mon, 29 Sep 2014 08:53:45 -0500
> Subject: [Snort-users] Salir Suscripcion
> Deseo Salir
>
>
> ---------- จดหมายที่ถูกส่งต่อ ----------
> From: waldo kitty <wkitty42 at ...14940...>
> To: snort-users at lists.sourceforge.net
> Cc:
> Date: Mon, 29 Sep 2014 10:56:20 -0400
> Subject: Re: [Snort-users] http_header not working
> On 9/29/2014 7:52 AM, NIDS TEAM wrote:
>
>> So I just compiled Snort with --enable-sourcefire.
>>
>> Snort runs with the following rule:
>> alert tcp any any <> any any (msg:"TEST HOST alert"; content:"google";
>> http_uri;
>> gid:1; sid:99999; rev:2;)
>>
>
> are you saying that you have no other rules at all? only this one rule
> plus the built-in ones in the internal functions?
>
>  I then do one single request to www.google.com/mail
>>
>> The following request is visible with Snort (I do not copy all the
>> SYN/ACK packets):
>>
>
> [trim]
>
>  It looks like the http_inspect preprocessor doesn't do anything here,
>> besides
>> passing the packet.
>>
>> The http_inspect configuration is identical to:
>> http://labs.snort.org/snort/2962/snort.conf
>>
>
> what do you expect to see from the http_inspect preprocessor? where do you
> expect to see it emitted?
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        Please *keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
>
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.  Videos for Nerds.  Stuff that Matters.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140930/679ea6f4/attachment.html>


More information about the Snort-users mailing list