<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><a href="http://www.snort.org/docs">http://www.snort.org/docs</a><div><br></div><div>There is an openBSD Install doc at the link above.</div><div><br></div><div><span style="font-size: 12px; font-family: 'Lucida Grande'; ">--</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; "><b>Joel Esler</b></span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">Senior Research Engineer, VRT</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">OpenSource Community Manager</span><br><span style="font-size: 12px; font-family: 'Lucida Grande'; ">Sourcefire</span></div><div><font face="Lucida Grande"><br></font><div><div>On Dec 9, 2012, at 9:51 PM, Kaya Saman <kayasaman@...11827...> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Thanks for the response!<br>
      <br>
      I tried installing snort 2.9.3.1 with Daq 1.1.1 however, upon
      running ./configure I got an error saying that libpcap library
      version >= 1.0.0  not found<br>
      <br>
      Unfortunately since this seems to be unsupported on OpenBSD
      RELEASE I couldn't find any documentation on how to get over this
      hurdle.<br>
      <br>
      As such I wasn't quite sure what to do?<br>
      <br>
      <br>
      Regards,<br>
      <br>
      Kaya<br>
      <br>
      <br>
      On 12/10/2012 02:32 AM, Joel Esler wrote:<br>
    </div>
    <blockquote cite="mid:5E8CE3AF-8395-447B-9ABA-F43CC1502907@...1935..." type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      The first suggestion you'll probably receive from anyone,
      especially me, will be to upgrade.  I know 2.9.4.0 works on
      OpenBSD, I can't vouch for 2.8.6
      <div><br>
      </div>
      <div><span style="font-size: 12px; font-family: 'Lucida Grande'; ">--</span><br>
        <span style="font-size: 12px; font-family: 'Lucida Grande'; "><b>Joel
            Esler</b></span><br>
        <span style="font-size: 12px; font-family: 'Lucida Grande'; ">Senior
          Research Engineer, VRT</span><br>
        <span style="font-size: 12px; font-family: 'Lucida Grande'; ">OpenSource
          Community Manager</span><br>
        <span style="font-size: 12px; font-family: 'Lucida Grande'; ">Sourcefire</span></div>
      <div><font face="Lucida Grande"><br>
        </font>
        <div>
          <div>On Dec 9, 2012, at 8:19 PM, Kaya Saman <<a moz-do-not-send="true" href="mailto:kayasaman@...11827...">kayasaman@...11827...</a>>
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">Hi,<br>
            <br>
            I'm running Snort 2.8.6 on OpenBSD 5.2 sparc64 platform.<br>
            <br>
            My system is being used as a router/gateway/NAT/Firewall
            with multiple <br>
            VLANs, LACP and PPPoE for WAN connectivity.<br>
            <br>
            I'm running this particular version of Snort because it was
            built <br>
            directly from Ports meaning that it is supported (all be it
            out of date).<br>
            <br>
            (trunk0 is my LACP interface connected to my switch on ports
            bge2 and bge3)<br>
            <br>
            If I run: snort -i trunk0 -c /etc/snort/snort.conf<br>
            <br>
            or with -i set to any of my vlans I get the error: "bus
            error core dumped"<br>
            <br>
            <br>
            Rebuilding with debugging active I have traced the error to
            this:<br>
            <br>
            <br>
            cd /usr/ports/net/snort<br>
            FLAVOR="mysql flexresp" make clean<br>
            FLAVOR="mysql flexresp" make DEBUG=-g repackage reinstall<br>
            gdb `which snort`<br>
            set args -i trunk0 -c /etc/snort/snort.conf<br>
            run<br>
            <br>
            <br>
            Program received signal SIGBUS, Bus error.<br>
            0x0000000000149f64 in GetTimestamp (tvp=0x20bed8b3c, tz=0)
            at<br>
/usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/util.c:2657<br>
            2657        msec = tvp->tv_usec / 1000;<br>
            <br>
            <br>
            <br>
            (gdb) bt full<br>
            #0  0x0000000000149f64 in GetTimestamp (tvp=0x20bed8b3c,
            tz=0) at<br>
/usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/util.c:2657<br>
                     lt = (struct tm *) 0x0<br>
                     buf = 0x209c74660 ""<br>
                     msec = 74103168<br>
            #1  0x000000000016c30c in Database (p=0xffffffffffff76b0,<br>
            msg=0x208b39280 "ET P2P Vuze BT UDP Connection (5)",
            arg=0x20b75f880,<br>
            event=0x205cf6d64)<br>
                 at<br>
/usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/output-plugins/spo_database.c:1145<br>
                     data = (DatabaseData *) 0x20b75f880<br>
                     query = (SQLQuery *) 0x2046ab980<br>
                     root = (SQLQuery *) 0x2046ab980<br>
                     timestamp_string = 0x0<br>
                     insert_fields = 0x0<br>
                     insert_values = 0x0<br>
                     sig_name = 0x0<br>
                     sig_class = 0x0<br>
                     ref_system_name = 0x0<br>
                     ref_node_id_string = 0x0<br>
                     ref_tag = 0x0<br>
                     packet_data = 0x0<br>
                     packet_data_not_escaped = 0x0<br>
                     select0 = 0x0<br>
                     select1 = 0x0<br>
                     insert0 = 0x0<br>
                     i = 0<br>
                     insert_fields_len = 0<br>
                     insert_values_len = 21365344<br>
                     ok_transaction = 0<br>
                     ref_system_id = -2113895936<br>
                     ret = 0<br>
                     sig_id = 0<br>
                     ref_id = 0<br>
                     class_id = 0<br>
                     class_ptr = (ClassType *) 0x0<br>
                     refNode = (ReferenceNode *) 0x2033fd3c0<br>
                     sig_rev = '\0' <repeats 15 times><br>
                     sig_sid = '\0' <repeats 15 times><br>
                     sig_gid = '\0' <repeats 15 times><br>
            #2  0x000000000014c62c in CallAlertFuncs
            (p=0xffffffffffff76b0,<br>
            message=0x208b39280 "ET P2P Vuze BT UDP Connection (5)",
            head=0x20e33eb00,<br>
                 event=0x205cf6d64) at<br>
/usr/ports/pobj/snort-2.8.6-mysql-flexresp/snort-2.8.6/src/detect.c:441<br>
                     idx = (OutputFuncNode *) 0x20a284080<br>
            #3  0x000000000014d744 in AlertAction (p=0xffffffffffff76b0,<br>
            otn=0x205cf6c00, event=0x205cf6d64)<br>
            <br>
            <br>
            <br>
            I am no expert at debugging programs and I'm not sure what
            is going on <br>
            other then there seems to be an issue with:<br>
            <br>
            GetTimeStamp in the util.c file<br>
            <br>
            <br>
            <br>
            Could anyone offer any assistance to get snort working?<br>
            <br>
            <br>
            I really would like to use the system as an IDS and already
            have setup <br>
            MySQL and Base, so to get working would be brilliant!<br>
            <br>
            <br>
            Regards,<br>
            <br>
            <br>
            Kaya<br>
            <br>
------------------------------------------------------------------------------<br>
            LogMeIn Rescue: Anywhere, Anytime Remote support for IT.
            Free Trial<br>
            Remotely access PCs and mobile devices and provide instant
            support<br>
            Improve your efficiency, and focus on delivering more
            value-add services<br>
            Discover what IT Professionals Know. Rescue delivers<br>
            <a moz-do-not-send="true" href="http://p.sf.net/sfu/logmein_12329d2d">http://p.sf.net/sfu/logmein_12329d2d</a><br>
            _______________________________________________<br>
            Snort-users mailing list<br>
            <a class="moz-txt-link-abbreviated" href="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</a><br>
            Go to this URL to change user options or unsubscribe:<br>
            <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
            Snort-users list archive:<br>
<a class="moz-txt-link-freetext" href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
            <br>
            Please visit <a class="moz-txt-link-freetext" href="http://blog.snort.org/">http://blog.snort.org</a> to stay current on all
            the latest Snort news!<br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div></body></html>