[Snort-users] File extraction during http/ftp transaction

Hui cao huica at ...589...
Wed Mar 11 11:39:51 EDT 2015


Have you done make clean before you do a make?

Best,
Hui.

On 03/11/2015 11:38 AM, Rishabh Shah wrote:
> Hi Hui,
>
> I am hitting the same issue while executing make. These are the 
> commands that I issued:
> root at ...17114...:~/snort_src/snort-2.9.7.0# ./configure 
> --enable-file-inspect --enable-open-appid --enable-sourcefire
>
> root at ...17114...:~/snort_src/snort-2.9.7.0# make
>
>
> /root/snort_src/snort-2.9.7.0/src/plugbase.c:216: undefined reference 
> to `SetupAppId'
> detection-plugins/libspd.a(detection_options.o): In function 
> `detection_hash_free_func':
> /root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:553: 
> undefined reference to `optionAppIdFree'
> detection-plugins/libspd.a(detection_options.o): In function 
> `detection_option_hash_func':
> /root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:252: 
> undefined reference to `optionAppIdHash'
> detection-plugins/libspd.a(detection_options.o): In function 
> `detection_option_key_compare_func':
> /root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:409: 
> undefined reference to `optionAppIdCompare'
> collect2: error: ld returned 1 exit status
> make[3]: *** [snort] Error 1
> make[3]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/root/snort_src/snort-2.9.7.0'
> make: *** [all] Error 2
>
>
> On Wed, Mar 11, 2015 at 8:40 PM, Hui cao <huica at ...589... 
> <mailto:huica at ...589...>> wrote:
>
>     Hi Rishabh,
>
>     You need to add —enable-open-appid to you ./configure.
>
>     ./configure --enable-file-inspect —enable-open-appid
>
>     Best,
>     Hui.
>
>     On 03/11/2015 10:33 AM, Rishabh Shah wrote:
>>     Hi Joel,
>>
>>     Thanks for your prompt reply. I did a ./configure
>>     --enable-file-inspect and while executing make, I saw the
>>     following error messages:
>>
>>     */root/snort_src/snort-2.9.7.0/src/plugbase.c:216: undefined
>>     reference to `SetupAppId'*
>>     *detection-plugins/libspd.a(detection_options.o): In function
>>     `detection_hash_free_func':*
>>     */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:553:
>>     undefined reference to `optionAppIdFree'*
>>     *detection-plugins/libspd.a(detection_options.o): In function
>>     `detection_option_hash_func':*
>>     */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:252:
>>     undefined reference to `optionAppIdHash'*
>>     *detection-plugins/libspd.a(detection_options.o): In function
>>     `detection_option_key_compare_func':*
>>     */root/snort_src/snort-2.9.7.0/src/detection-plugins/detection_options.c:409:
>>     undefined reference to `optionAppIdCompare'*
>>     *collect2: error: ld returned 1 exit status*
>>     make[3]: *** [snort] Error 1
>>     make[3]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
>>     make[2]: *** [all-recursive] Error 1
>>     make[2]: Leaving directory `/root/snort_src/snort-2.9.7.0/src'
>>     make[1]: *** [all-recursive] Error 1
>>     make[1]: Leaving directory `/root/snort_src/snort-2.9.7.0'
>>     make: *** [all] Error 2
>>
>>     I am not sure why am I seeing those messages as I see a reference
>>     to the above errors:
>>
>>     root at ...17114...:~/snort_src/snort-2.9.7.0/src#
>>     <mailto:root at ...17114...:%7E/snort_src/snort-2.9.7.0/src#>
>>     grep -r "optionAppIdFree" .
>>     Binary file ./detection-plugins/detection_options.o matches
>>     Binary file ./detection-plugins/sp_appid.o matches
>>     ./detection-plugins/sp_appid.c:void
>>     optionAppIdFree(AppIdOptionData *optData)
>>     ./detection-plugins/sp_appid.c:  optionAppIdFree(optData);
>>     Binary file ./detection-plugins/libspd.a matches
>>     ./detection-plugins/detection_options.c:        
>>      optionAppIdFree(key->option_data);
>>     ./detection-plugins/sp_appid.h:void
>>     optionAppIdFree(AppIdOptionData *optData);
>>
>>
>>     I appended the following line in snort.conf:
>>     *preprocessor file_inspect: type_id, signature, capture_disk
>>     /home/file_capture/tmp/, capture_queue_size 5000*
>>
>>     While executing snort process, I got a core file with the
>>     following message:
>>
>>     File config:
>>         file type: ENABLED
>>         file signature: ENABLED
>>         file capture: ENABLED
>>         file capture directory: /home/file_capture/tmp/
>>         file capture disk size: 300 (Default) megabytes
>>         file sent to host: DISABLED (Default), port number: 0
>>
>>     *Segmentation fault (core dumped)*
>>
>>     The traceback of the core file points to:
>>
>>     root at ...17114...:~/snort_src# gdb snort -c core
>>     GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
>>     Copyright (C) 2014 Free Software Foundation, Inc.
>>     License GPLv3+: GNU GPL version 3 or later
>>     <http://gnu.org/licenses/gpl.html>
>>     This is free software: you are free to change and redistribute it.
>>     There is NO WARRANTY, to the extent permitted by law.  Type "show
>>     copying"
>>     and "show warranty" for details.
>>     This GDB was configured as "x86_64-linux-gnu".
>>     Type "show configuration" for configuration details.
>>     For bug reporting instructions, please see:
>>     <http://www.gnu.org/software/gdb/bugs/>.
>>     Find the GDB manual and other documentation resources online at:
>>     <http://www.gnu.org/software/gdb/documentation/>.
>>     For help, type "help".
>>     Type "apropos word" to search for commands related to "word"...
>>     Reading symbols from snort...done.
>>
>>     warning: exec file is newer than core file.
>>     [New LWP 10904]
>>
>>     warning: .dynamic section for
>>     "/usr/local/lib/snort_dynamicengine/libsf_engine.so" is not at
>>     the expected address (wrong library or version mismatch?)
>>
>>     warning: .dynamic section for
>>     "/usr/local/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so"
>>     is not at the expected address (wrong library or version mismatch?)
>>     [Thread debugging using libthread_db enabled]
>>     Using host libthread_db library
>>     "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>     Core was generated by `/usr/local/bin/snort -c
>>     /etc/snort/snort.conf -Q -i eth1:eth2 -l /var/log/snort'.
>>     Program terminated with signal SIGSEGV, Segmentation fault.
>>     #0  strlen () at ../sysdeps/x86_64/strlen.S:106
>>     106     ../sysdeps/x86_64/strlen.S: No such file or directory.
>>     (gdb) bt
>>     *#0  strlen () at ../sysdeps/x86_64/strlen.S:106*
>>     *#1  0x00007f6ab63050a6 in appIdStatsInit
>>     (appFileName=0x7f6ab6628170 <config+16> "appstats-unified.log",
>>     statsPeriod=10, rolloverSize=20971520, rolloverPeriod=86400) at
>>     appIdStats.c:264*
>>     *#2  0x00007f6ab62fa2d0 in AppIdCommonInit (memcap=268435456) at
>>     commonAppMatcher.c:297*
>>     *#3  0x00007f6ab6303798 in AppIdInit (sc=0x1eb9770,
>>     args=0x1f516e0 "app_stats_filename appstats-unified.log,
>>     app_stats_period 10, app_detector_dir /usr/local/lib/openappid")
>>     at spp_appid.c:157*
>>     *#4  0x000000000042048e in InitVarTables (p=0x1eb9770) at
>>     parser.c:5728*
>>     *#5  0x000000000046c3d0 in CheckAppId (option_data=0x0, p=0x0) at
>>     sp_appid.c:342*
>>     *#6  0x0000000000000000 in ?? ()*
>>     *(gdb) Quit*
>>
>>     I had installed openappid as well.
>>
>>
>>     On Wed, Mar 11, 2015 at 7:00 PM, Joel Esler (jesler)
>>     <jesler at ...589... <mailto:jesler at ...589...>> wrote:
>>
>>
>>>         On Mar 11, 2015, at 9:23 AM, Rishabh Shah
>>>         <rishabh420 at ...11827... <mailto:rishabh420 at ...11827...>> wrote:
>>>
>>>         Hi Snort Team,
>>>
>>>         Is it possible to extract any file during http/ftp
>>>         transactions? The HTTP preprocessor makes it possible to
>>>         read the HTTP URI/content. Does snort have the intelligence
>>>         to extract the file during any transfer?
>>>
>>
>>         Beginning with 2.9.6.0, Snort has had the ability to extract
>>         files from streams and write them to disk.
>>
>>         Check out the README: https://www.snort.org/faq/readme-file
>>
>>         --
>>         *Joel Esler*
>>         Open Source Manager
>>         Threat Intelligence Team Lead
>>         Talos Group
>>
>>
>>
>>
>>     -- 
>>     Regards,
>>     Rishabh Shah.
>>
>>
>>     ------------------------------------------------------------------------------
>>     Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>>     by Intel and developed in partnership with Slashdot Media, is your hub for all
>>     things parallel software development, from weekly thought leadership blogs to
>>     news, videos, case studies, tutorials and more. Take a look and join the
>>     conversation now.http://goparallel.sourceforge.net/
>>
>>
>>     _______________________________________________
>>     Snort-users mailing list
>>     Snort-users at lists.sourceforge.net  <mailto:Snort-users at lists.sourceforge.net>
>>     Go to this URL to change user options or unsubscribe:
>>     https://lists.sourceforge.net/lists/listinfo/snort-users
>>     Snort-users list archive:
>>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>>     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>
>
>     ------------------------------------------------------------------------------
>     Dive into the World of Parallel Programming The Go Parallel
>     Website, sponsored
>     by Intel and developed in partnership with Slashdot Media, is your
>     hub for all
>     things parallel software development, from weekly thought
>     leadership blogs to
>     news, videos, case studies, tutorials and more. Take a look and
>     join the
>     conversation now. http://goparallel.sourceforge.net/
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>     Please visit http://blog.snort.org to stay current on all the
>     latest Snort news!
>
>
>
>
> -- 
> Regards,
> Rishabh Shah.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150311/f0b940c9/attachment.html>


More information about the Snort-users mailing list