Home page logo
/

snort logo Snort mailing list archives

daq/snort 2.9.0 on Solaris sparc ?
From: Luis <luis.mlists () gmail com>
Date: Wed, 6 Oct 2010 13:24:28 -0400

howdy,

two questions about snort 2.9.0 on sparc.


one on daq and another on an odd behavior of http_inspect and ftp_telnet
configuration..

the first,  about daq 0.2 compilation  was about some errors like the
following (see email thread below for complete list).



In file included from sf_gencode.c:87:
sll.h:86: error: syntax error before "u_int16_t"
sll.h:86: warning: no semicolon at end of struct or union
sll.h:87: warning: type defaults to `int' in declaration of `sll_hatype'
sll.h:87: error: ISO C forbids data definition with no type or storage class


Was finally able to compile by removing the following lines in sfbpf/sll.h

$ diff sll.h sll.h.orig
82,83c82,93
< #define SLL_HDR_LEN 16          /* total header length */
< #define SLL_ADDRLEN 8           /* length of address field */
---
#define SLL_HDR_LEN    16          /* total header length */
#define SLL_ADDRLEN    8           /* length of address field */

struct sll_header
{
    u_int16_t sll_pkttype;      /* packet type */
    u_int16_t sll_hatype;       /* link-layer address type */
    u_int16_t sll_halen;        /* link-layer address length */
    u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
    u_int16_t sll_protocol;     /* protocol */
};



2nd question.  Are the http_inspect and ftp_telnet preprocesors related in
any way?    It seems that the configuration parsing may be mixing them up?
(or it may just be my configuration?).

When I enable ftp_telnet global, with the following on the conf file:

       preprocessor ftp_telnet: global inspection_type stateful
check_encrypted encrypted_traffic no


 I get the following error:

ERROR: snort.conf(236) => Stateful HttpInspect processing is not yet
available.  Please use stateless processing for now.
Fatal Error, Quitting..


why would the ftp_telnet configuration error with  'HttpInspect' .

if I set the ftp_telnet inspection to stateless, I get the following error:

ERROR: snort.conf(238) => Global configuration must contain an IIS Unicode
Map configuration.  Use token 'iis_unicode_map'.
Fatal Error, Quitting..



Once again this error seems to be from http_inspect (as that directive is
set in that preproc)

If I completely remove (comment out) all ftp_telnet lines (global, server
and protocol), then snort starts up fine..


am I missing something here?


here's my snort version:
$ ../bin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0 IPv6 GRE (Build 68)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 7.0 18-Dec-2006
           Using ZLIB version: 1.2.3


sections from snort.conf.  (ftp_telnet is commented out, as it is the only
way snort will start)..


...
# HTTP normalization and anomaly detection.  For more information, see
README.http_inspect
preprocessor http_inspect: global \
        iis_unicode_map unicode.map 1252 \
        compress_depth 20480 decompress_depth 20480

preprocessor http_inspect_server: server default \
    chunk_length 500000 \
    server_flow_depth 0 \
    client_flow_depth 0 \
    post_depth 65495 \
        oversize_dir_length 500 \
    max_header_length 750 \
    max_headers 100 \
    ports { 80 311 591 593 901 1220 1414 2301 2381 2809 3128 3702 7777 7779
8000 8008 8028 8080 8118 8123 8180 8243 828
0 8888 9443 9999 11371 } \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    enable_cookie \
    extended_response_inspection \
    inspect_gzip \
    apache_whitespace no \
    ascii no \
    bare_byte no \
        directory no \
        double_decode no \
        iis_backslash no \
        iis_delimiter no \
        iis_unicode no \
        multi_slash no \
        non_strict \
        u_encode yes \
        webroot no



...

#preprocessor ftp_telnet: global inspection_type stateful check_encrypted
encrypted_traffic no

#preprocessor ftp_telnet: global inspection_type stateless

#preprocessor ftp_telnet_protocol: telnet \
#    ayt_attack_thresh 20 \
#    normalize ports { 23 } \
#    detect_anomalies
#preprocessor ftp_telnet_protocol: ftp server default \
#    def_max_param_len 100 \
#    ports { 21 2100 3535 } \
#    telnet_cmds yes \
#    ignore_telnet_erase_cmds yes \
#    ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
#    ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
#    ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
#    ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
#    ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
#    ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
#    ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
#    ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
#    ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
#    ftp_cmds { XSEN XSHA1 XSHA256 } \
#    alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
REIN STOU SYST XCUP XPWD } \
#    alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
XMKD } \
#    alt_max_param_len 256 { CWD RNTO } \
#    alt_max_param_len 400 { PORT } \
#    alt_max_param_len 512 { SIZE } \
#    chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
#    chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
#    chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
#    chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
#    chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
#    chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
#    chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
#    chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
#    cmd_validity ALLO < int [ char R int ] > \
#    cmd_validity EPSV < { char 12|string } > \
#    cmd_validity MACB < string > \
#    cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
#    cmd_validity MODE < char ASBCZ > \
#    cmd_validity PORT < host_port > \
#    cmd_validity PROT < char CSEP > \
#    cmd_validity STRU < char FRPO [ string ] > \
#    cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ]
} >
#preprocessor ftp_telnet_protocol: ftp client default \
#    max_resp_len 256 \
#    bounce yes \
#    ignore_telnet_erase_cmds yes \
#    telnet_cmds yes




Thanks,


Luis






---------- Forwarded message ----------
From: Luis <luis.mlists () gmail com>
Date: Wed, Oct 6, 2010 at 11:26 AM
Subject: Re: [Snort-users] Fwd: daq/snort 2.9.0 on Solaris sparc ?
To: Joel Esler <jesler () sourcefire com>


Thanks, will try there, sorry for the noise :)




On Wed, Oct 6, 2010 at 11:20 AM, Joel Esler <jesler () sourcefire com> wrote:

The DAQ developers *are* on this list, however, the best bet for these
type of things is snort-devel.

Thanks.

Joel

On Oct 6, 2010, at 11:03 AM, Luis wrote:

sent this yesterday to snort-beta... trying snort-users to see if anyone
has had any luck..
(see below)

Luis

---------- Forwarded message ----------
From: Luis <luis.mlists () gmail com>
Date: Tue, Oct 5, 2010 at 2:05 PM
Subject: daq/snort 2.9.0 on Solaris sparc ?
To: snort-beta () sourcefire com


howdy:

does anyone know if the 2.9.0 snort can be compiled in Solaris (sparc?).

I'm currently stuck trying to compile the daq 0.2.  it errors at the
following:

In file included from sf_gencode.c:87:
sll.h:86: error: syntax error before "u_int16_t"
sll.h:86: warning: no semicolon at end of struct or union
sll.h:87: warning: type defaults to `int' in declaration of `sll_hatype'
sll.h:87: error: ISO C forbids data definition with no type or storage
class
sll.h:88: error: syntax error before "sll_halen"
sll.h:88: warning: type defaults to `int' in declaration of `sll_halen'
sll.h:88: error: ISO C forbids data definition with no type or storage
class
sll.h:89: error: syntax error before "sll_addr"
sll.h:89: warning: type defaults to `int' in declaration of `sll_addr'
sll.h:89: error: ISO C forbids data definition with no type or storage
class
sll.h:90: error: syntax error before "sll_protocol"
sll.h:90: warning: type defaults to `int' in declaration of `sll_protocol'
sll.h:90: error: ISO C forbids data definition with no type or storage
class
sll.h:91: warning: ISO C does not allow extra `;' outside of a function
*** Error code 1


any help would be appreciated.


Thanks


Luis


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.

http://p.sf.net/sfu/beautyoftheweb_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault