Snort mailing list archives
daq/snort 2.9.0 on Solaris sparc ?
From: Luis <luis.mlists () gmail com>
Date: Wed, 6 Oct 2010 13:24:28 -0400
howdy, two questions about snort 2.9.0 on sparc. one on daq and another on an odd behavior of http_inspect and ftp_telnet configuration.. the first, about daq 0.2 compilation was about some errors like the following (see email thread below for complete list). In file included from sf_gencode.c:87: sll.h:86: error: syntax error before "u_int16_t" sll.h:86: warning: no semicolon at end of struct or union sll.h:87: warning: type defaults to `int' in declaration of `sll_hatype' sll.h:87: error: ISO C forbids data definition with no type or storage class Was finally able to compile by removing the following lines in sfbpf/sll.h $ diff sll.h sll.h.orig 82,83c82,93 < #define SLL_HDR_LEN 16 /* total header length */ < #define SLL_ADDRLEN 8 /* length of address field */ ---
#define SLL_HDR_LEN 16 /* total header length */
#define SLL_ADDRLEN 8 /* length of address field */
struct sll_header
{
u_int16_t sll_pkttype; /* packet type */
u_int16_t sll_hatype; /* link-layer address type */
u_int16_t sll_halen; /* link-layer address length */
u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
u_int16_t sll_protocol; /* protocol */
};
2nd question. Are the http_inspect and ftp_telnet preprocesors related in
any way? It seems that the configuration parsing may be mixing them up?
(or it may just be my configuration?).
When I enable ftp_telnet global, with the following on the conf file:
preprocessor ftp_telnet: global inspection_type stateful
check_encrypted encrypted_traffic no
I get the following error:
ERROR: snort.conf(236) => Stateful HttpInspect processing is not yet
available. Please use stateless processing for now.
Fatal Error, Quitting..
why would the ftp_telnet configuration error with 'HttpInspect' .
if I set the ftp_telnet inspection to stateless, I get the following error:
ERROR: snort.conf(238) => Global configuration must contain an IIS Unicode
Map configuration. Use token 'iis_unicode_map'.
Fatal Error, Quitting..
Once again this error seems to be from http_inspect (as that directive is
set in that preproc)
If I completely remove (comment out) all ftp_telnet lines (global, server
and protocol), then snort starts up fine..
am I missing something here?
here's my snort version:
$ ../bin/snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.0 IPv6 GRE (Build 68)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 7.0 18-Dec-2006
Using ZLIB version: 1.2.3
sections from snort.conf. (ftp_telnet is commented out, as it is the only
way snort will start)..
...
# HTTP normalization and anomaly detection. For more information, see
README.http_inspect
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252 \
compress_depth 20480 decompress_depth 20480
preprocessor http_inspect_server: server default \
chunk_length 500000 \
server_flow_depth 0 \
client_flow_depth 0 \
post_depth 65495 \
oversize_dir_length 500 \
max_header_length 750 \
max_headers 100 \
ports { 80 311 591 593 901 1220 1414 2301 2381 2809 3128 3702 7777 7779
8000 8008 8028 8080 8118 8123 8180 8243 828
0 8888 9443 9999 11371 } \
non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
enable_cookie \
extended_response_inspection \
inspect_gzip \
apache_whitespace no \
ascii no \
bare_byte no \
directory no \
double_decode no \
iis_backslash no \
iis_delimiter no \
iis_unicode no \
multi_slash no \
non_strict \
u_encode yes \
webroot no
...
#preprocessor ftp_telnet: global inspection_type stateful check_encrypted
encrypted_traffic no
#preprocessor ftp_telnet: global inspection_type stateless
#preprocessor ftp_telnet_protocol: telnet \
# ayt_attack_thresh 20 \
# normalize ports { 23 } \
# detect_anomalies
#preprocessor ftp_telnet_protocol: ftp server default \
# def_max_param_len 100 \
# ports { 21 2100 3535 } \
# telnet_cmds yes \
# ignore_telnet_erase_cmds yes \
# ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
# ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
# ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
# ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
# ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
# ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
# ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
# ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
# ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
# ftp_cmds { XSEN XSHA1 XSHA256 } \
# alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT
REIN STOU SYST XCUP XPWD } \
# alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU
XMKD } \
# alt_max_param_len 256 { CWD RNTO } \
# alt_max_param_len 400 { PORT } \
# alt_max_param_len 512 { SIZE } \
# chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
# chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
# chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
# chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
# chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
# chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
# chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
# chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
# cmd_validity ALLO < int [ char R int ] > \
# cmd_validity EPSV < { char 12|string } > \
# cmd_validity MACB < string > \
# cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
# cmd_validity MODE < char ASBCZ > \
# cmd_validity PORT < host_port > \
# cmd_validity PROT < char CSEP > \
# cmd_validity STRU < char FRPO [ string ] > \
# cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ]
} >
#preprocessor ftp_telnet_protocol: ftp client default \
# max_resp_len 256 \
# bounce yes \
# ignore_telnet_erase_cmds yes \
# telnet_cmds yes
Thanks,
Luis
---------- Forwarded message ----------
From: Luis <luis.mlists () gmail com>
Date: Wed, Oct 6, 2010 at 11:26 AM
Subject: Re: [Snort-users] Fwd: daq/snort 2.9.0 on Solaris sparc ?
To: Joel Esler <jesler () sourcefire com>
Thanks, will try there, sorry for the noise :)
On Wed, Oct 6, 2010 at 11:20 AM, Joel Esler <jesler () sourcefire com> wrote:
The DAQ developers *are* on this list, however, the best bet for these type of things is snort-devel. Thanks. Joel On Oct 6, 2010, at 11:03 AM, Luis wrote: sent this yesterday to snort-beta... trying snort-users to see if anyone has had any luck.. (see below) Luis ---------- Forwarded message ---------- From: Luis <luis.mlists () gmail com> Date: Tue, Oct 5, 2010 at 2:05 PM Subject: daq/snort 2.9.0 on Solaris sparc ? To: snort-beta () sourcefire com howdy: does anyone know if the 2.9.0 snort can be compiled in Solaris (sparc?). I'm currently stuck trying to compile the daq 0.2. it errors at the following: In file included from sf_gencode.c:87: sll.h:86: error: syntax error before "u_int16_t" sll.h:86: warning: no semicolon at end of struct or union sll.h:87: warning: type defaults to `int' in declaration of `sll_hatype' sll.h:87: error: ISO C forbids data definition with no type or storage class sll.h:88: error: syntax error before "sll_halen" sll.h:88: warning: type defaults to `int' in declaration of `sll_halen' sll.h:88: error: ISO C forbids data definition with no type or storage class sll.h:89: error: syntax error before "sll_addr" sll.h:89: warning: type defaults to `int' in declaration of `sll_addr' sll.h:89: error: ISO C forbids data definition with no type or storage class sll.h:90: error: syntax error before "sll_protocol" sll.h:90: warning: type defaults to `int' in declaration of `sll_protocol' sll.h:90: error: ISO C forbids data definition with no type or storage class sll.h:91: warning: ISO C does not allow extra `;' outside of a function *** Error code 1 any help would be appreciated. Thanks Luis ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Fwd: daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)
- Re: Fwd: daq/snort 2.9.0 on Solaris sparc ? Joel Esler (Oct 06)
- Message not available
- Message not available
- daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)
- Re: daq/snort 2.9.0 on Solaris sparc ? Russ Combs (Oct 06)
- Re: daq/snort 2.9.0 on Solaris sparc ? Steven Sturges (Oct 06)
- Message not available
- Fwd: daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)
- Message not available
- Re: Fwd: daq/snort 2.9.0 on Solaris sparc ? Joel Esler (Oct 06)