Snort mailing list archives

Snort 3 notes

From: Y M via Snort-devel <snort-devel () lists snort org>
Date: Sun, 11 Mar 2018 14:07:42 +0000

Hello,


I have been working with Snort 3 via a git clone recently and have documented some observations/questions along the 
way. Please don't take these as complaints 😊. I have put these into one email to reduce chatter. The Snort 3 version I 
am working with is at the end of this post.


# ---------

- Compiling Snort 3 from source with cmake on FreeBSD 11 generates the below error (cmake logs are attached) . However, 
compilation with automake/autoconf works as expected. In a recent post on the list, it was mentioned that automake 
maybe eventually removed.

-- Looking for iconv_open
-- Looking for iconv_open - found
-- Performing Test ICONV_COMPILES
-- Performing Test ICONV_COMPILES - Failed
CMake Error at cmake/FindICONV.cmake:130 (MESSAGE):
  Unable to determine iconv() signature
Call Stack (most recent call first):
  cmake/include_libraries.cmake:25 (find_package)
  CMakeLists.txt:17 (include)
-- Configuring incomplete, errors occurred!
# ----------
- Does the Reputation inspector support multiple blacklist/whitelist entries? For example, using the below reputation 
configuration for single-list entries
reputation =
{
    blacklist = BLACK_LIST_PATH .. '/ip-blacklist',
    whitelist = WHITE_LIST_PATH .. '/ip-whitelist'
}

Snort prints out the status of the IP lists processing as follows:
...
Processing blacklist file /usr/local/snort/etc/snort/../../intel/ip-blacklist
Reputation entries loaded: 1544, invalid: 0, re-defined: 0 (from file 
/usr/local/snort/etc/snort/../../intel/ip-blacklist)
Processing whitelist file /usr/local/snort/etc/snort/../../intel/ip-whitelist
Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file /usr/local/snort/etc/snort/../../intel/ip-whitelist)
...
However, using Snort 2.x syntax or the below configuration for multiple list entries per category,
reputation =
{
    blacklist =
    {
        BLACK_LIST_PATH .. '/ip-blacklist',
        BLACK_LIST_PATH .. '/ip-blk'
    },
    whitelist = WHITE_LIST_PATH .. '/ip-whitelist'
}

Snort generates the warning message copied below:
WARNING: reputation: can't find any whitelist/blacklist entries; disabled.

I also tried with [[ multiline string ]] syntax, which does not appear to be an accepted format.

# -----

- The file_id inspector does not appear to have graylist/blacklist options. Does the file_policy[] item substitute 
these options?

# -----
- Some sections in the online documentation reference the use of --warn-unknown. This option appears to be no available 
anymore? For example, in the Tips section of the online manual, under the "Lua Configuration" section, however using 
the option returns unknown options.
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --warn-unknown
ERROR: unknown option --warn-unknown
FATAL: see prior 1 errors
Fatal Error, Quitting..

# -----
- Using a wrong syntax for configuring the daq module as below, Snort silently accepts the wrong syntax, and as 
expected, Snort does not apply the configuration. This was tested with --warn-all. This can be overlooked sometimes.
daq =
{
    module_dirs = '/usr/local/lib/daq',
    -- must enclose module with quotes
    module = afpacket,
}

# -----

- While listed as an optional requirement, safec does appear to compile successfully on FreeBSD 11, and generates the 
below error. Is it safe to ignore safec or is there a workaround that we can attempt?
In file included from ../include/safe_lib.h:58:0,
                 from safeclib/safeclib_private.h:91,
                 from safeclib/safe_mem_constraint.c:33:
../include/safe_mem_lib.h:87:16: error: conflicting types for 'memset_s'
 extern errno_t memset_s(void *dest, rsize_t dmax, uint8_t value);
                ^~~~~~~~
In file included from safeclib/safeclib_private.h:70:0,
                 from safeclib/safe_mem_constraint.c:33:
/usr/include/string.h:158:9: note: previous declaration of 'memset_s' was here
 errno_t memset_s(void *, rsize_t, int, rsize_t);
         ^~~~~~~~
*** Error code 1
Stop.
make[2]: stopped in /root/sources/libsafec-10052013/src
*** Error code 1
Stop.
make[1]: stopped in /root/sources/libsafec-10052013
*** Error code 1

Thanks for reading thus far.
YM

Snort 3 version:
# /usr/local/snort/bin/snort -V
   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.0.0 (Build 243) from 2.9.11
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 2.2.2
           Using LuaJIT version 2.0.5
           Using OpenSSL 1.0.2k-fips  26 Jan 2017
           Using libpcap version 1.8.1
           Using PCRE version 8.41 2017-07-05
           Using ZLIB version 1.2.7
           Using FlatBuffers 1.8.0
           Using Hyperscan version 4.7.0 2018-03-05
           Using LZMA version 5.2.2

Attachment: CMakeError.log
Description: CMakeError.log

Attachment: CMakeOutput.log
Description: CMakeOutput.log

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort 3 notes Y M via Snort-devel (Mar 11)
- Re: Snort 3 notes Russ via Snort-devel (Mar 11)