Re: Snort 3 notes

[Russ via Snort-devel <snort-devel () lists snort org>]

Thanks for reporting the issues.  Comments below.

Russ

On 3/11/18 10:07 AM, Y M via Snort-devel wrote:
> Hello,
>
>
> I have been working with Snort 3 via a git clone recently and have 
> documented some observations/questions along the way. Please don't 
> take these as complaints 😊. I have put these into one email to reduce 
> chatter. The Snort 3 version I am working with is at the end of this post.
Feedback is good.  :)
> # ---------
>
> - Compiling Snort 3 from source with cmake on FreeBSD 11 generates the 
> below error (cmake logs are attached). However, compilation with 
> automake/autoconf works as expected. In a recent post on the list, it 
> was mentioned that automake maybe eventually removed.
Autofoo will be gone with the next update on Monday or Tuesday. I've got 
an unusual install of iconv that leads to similar errors. You can try 
adding this to your configure_cmake.sh command line:

--define=ICONV_ACCEPTS_NONCONST_INPUT:BOOL=true

Let us know if that works.  Either way, I think we need to do more for this.

> -- Looking for iconv_open
> -- Looking for iconv_open - found
> -- Performing Test ICONV_COMPILES
> -- Performing Test ICONV_COMPILES - Failed
> CMake Error at cmake/FindICONV.cmake:130 (MESSAGE):
>   Unable to determine iconv() signature
> Call Stack (most recent call first):
>   cmake/include_libraries.cmake:25 (find_package)
>   CMakeLists.txt:17 (include)
> -- Configuring incomplete, errors occurred!
> # ----------
> - Does the Reputation inspector support multiple blacklist/whitelist 
> entries? For example, using the below reputation configuration for 
> single-list entries
Not at present.  We can update to support multiple as does 2.X Snort.
> reputation =
> {
>     blacklist = BLACK_LIST_PATH .. '/ip-blacklist',
>     whitelist = WHITE_LIST_PATH .. '/ip-whitelist'
> }
>
> Snort prints out the status of the IP lists processing as follows:
> ...
> Processing blacklist file 
> /usr/local/snort/etc/snort/../../intel/ip-blacklist
> Reputation entries loaded: 1544, invalid: 0, re-defined: 0 (from file 
> /usr/local/snort/etc/snort/../../intel/ip-blacklist)
> Processing whitelist file 
> /usr/local/snort/etc/snort/../../intel/ip-whitelist
> Reputation entries loaded: 0, invalid: 0, re-defined: 0 (from file 
> /usr/local/snort/etc/snort/../../intel/ip-whitelist)
> ...
> However, using Snort 2.x syntax or the below configuration for 
> multiple list entries per category,
> reputation =
> {
>     blacklist =
>     {
>         BLACK_LIST_PATH .. '/ip-blacklist',
>         BLACK_LIST_PATH .. '/ip-blk'
>     },
>     whitelist = WHITE_LIST_PATH .. '/ip-whitelist'
> }
>
> Snort generates the warning message copied below:
> WARNING: reputation: can't find any whitelist/blacklist entries; disabled.
>
> I also tried with [[ multiline string ]] syntax, which does not appear 
> to be an accepted format.
>
> # -----
>
> - The file_id inspector does not appear to have graylist/blacklist 
> options. Does the file_policy[] item substitute these options?
Yes.  Does that work for you?  If you are getting a list of SHAs from 
somewhere it could be useful to have those 2.X options as well.
> # -----
> - Some sections in the online documentation reference the use of 
> --warn-unknown. This option appears to be no available anymore? For 
> example, in the Tips section of the online manual, under the "Lua 
> Configuration" section, however using the option returns unknown options.
Oops.  That option was deleted because it wasn't working as intended and 
an easy fix wasn't apparent.  We will get the docs updated.
> # /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua 
> --warn-unknown
> ERROR: unknown option --warn-unknown
> FATAL: see prior 1 errors
> Fatal Error, Quitting..
>
> # -----
> - Using a wrong syntax for configuring the daq module as below, Snort 
> silently accepts the wrong syntax, and as expected, Snort does not 
> apply the configuration. This was tested with --warn-all. This can be 
> overlooked sometimes.
Yep, this is one of the unfortunate pitfalls of using Lua for 
configuration. Since the afpacket symbol is nil, the item is not set in 
the table and Snort has no way of knowing about it.  It is just how Lua 
works.  Hopefully these cases are obvious enough to catch. This issue 
and others are listed in the manual under "Gotchas".
> daq =
> {
>     module_dirs = '/usr/local/lib/daq',
>     -- must enclose module with quotes
>     module = afpacket,
> }
>
> # -----
>
> - While listed as an optional requirement, safec does appear to 
> compile successfully on FreeBSD 11, and generates the below error. Is 
> it safe to ignore safec or is there a workaround that we can attempt?
It is safe to ignore.  We aren't yet using it heavily.  You can disable 
for now but we'll look into this error.  Seems like safec needs tweaking.
> In file included from ../include/safe_lib.h:58:0,
>                  from safeclib/safeclib_private.h:91,
>                  from safeclib/safe_mem_constraint.c:33:
> ../include/safe_mem_lib.h:87:16: error: conflicting types for 'memset_s'
>  extern errno_t memset_s(void *dest, rsize_t dmax, uint8_t value);
>                 ^~~~~~~~
> In file included from safeclib/safeclib_private.h:70:0,
>                  from safeclib/safe_mem_constraint.c:33:
> /usr/include/string.h:158:9: note: previous declaration of 'memset_s' 
> was here
>  errno_t memset_s(void *, rsize_t, int, rsize_t);
>          ^~~~~~~~
> *** Error code 1
> Stop.
> make[2]: stopped in /root/sources/libsafec-10052013/src
> *** Error code 1
> Stop.
> make[1]: stopped in /root/sources/libsafec-10052013
> *** Error code 1
>
> Thanks for reading thus far.
> YM
>
> Snort 3 version:
> # /usr/local/snort/bin/snort -V
>    ,,_     -*> Snort++ <*-
>   o"  )~   Version 3.0.0 (Build 243) from 2.9.11
>    ''''    By Martin Roesch & The Snort Team
>            http://snort.org/contact#team
>            Copyright (C) 2014-2018 Cisco and/or its affiliates. All 
> rights reserved.
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using DAQ version 2.2.2
>            Using LuaJIT version 2.0.5
>            Using OpenSSL 1.0.2k-fips  26 Jan 2017
>            Using libpcap version 1.8.1
>            Using PCRE version 8.41 2017-07-05
>            Using ZLIB version 1.2.7
>            Using FlatBuffers 1.8.0
>            Using Hyperscan version 4.7.0 2018-03-05
>            Using LZMA version 5.2.2
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!