Snort mailing list archives
Re: Building snort
From: Todd Wease <twease () sourcefire com>
Date: Wed, 14 May 2008 10:05:43 -0400
Do you have the following option in your snort.conf: config enable_decode_oversized_alerts This should be the option that enables that alert. Still I'm guessing that something else is wrong. What kind of OS are you running on? Jon Urionaguena wrote:
Thanx Todd, The output I´m using is: output log_unified: filename snort, limit 9000 Which, in my system, logs text to an alert file, and binary format to snort.log. Both files are growing too fast. The alert one is the one I can "normally" read (text), that's why I suppose that the origin of this warning is the one that makes snort log every packet in the unified format. I can be in a big mistake... I will change the output and have a look at the logs in a tcpdump format reader (aka wireshark) and give more feedback.It should read that the IP datagram length is greater than the pcapcaptured length from the IP header on. We have the option "config disable_decode_alerts" set... Could it be an error with the pf_ring and modified libpcap implementation we are using?Are you specifying a snaplen to snort?No, I'm not. The thing is that a 2.7 binnary works ok (seems to...) with the same config file and same startup options. That's why I'm supposing that the error is not in the config, but in the binnaries... Maybe a compilation option. Don't know any. Regards, Jon Todd Wease escribió:Hello Jon, This message is actually wrong: "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]" It should read that the IP datagram length is greater than the pcap captured length from the IP header on. Also, you shouldn't see messages like that in a unified file and I'm not sure any postprocessor would show the data that way. Sounds like you're just looking at a text alert file. Are you specifying a snaplen to snort? If so, remove it. If not, try logging in tcpdump mode and look at the resulting snort.log.<timestamp> in Wireshark and see what those packets look like. Todd Jon Urionaguena wrote:Hi all, I am building a high speed IDS system trying to use pfring extensions, with libpcap modified. I'm trying to work with unified output format. Kernel is built ok. New libpcap seems ok too. When I build snort (downloaded 2.7 and 2.8.1), I try to make it static building against the libpcap.a just generated. All I can see is that the resulting binnary does not give any dependence (ldd) against any libpcap. So I launch it... But the unified file format it generates is wrong because it´s full of messages of this kind: "[**] [116:6:1] (snort_decoder) WARNING: IP dgm len > IP Hdr len! [**]" Even if we have the option to avoid these messages in snort.conf. I guess I get a message for each packet we receive... The logs get enormous (50 Mbps link) and without any value. Any hint?? Any other data I should supply? On the other side, I have an old snort binnary linked to the modified libpcap (that's what ldd says...) that seems to work ok (loads pfring on startup and gives normal alerts), but I compiled it before we had the pfring change (kernel and new libpcaps)??? It shouldn't work this way. Building snort is being a strange experience for me, because I get to many issues I can not fully understand... The flags I try to pass to configure script never seem to do anything... I'm turning crazy. Thanx in advance,
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Building snort Jon Urionaguena (May 14)
- Re: Building snort Todd Wease (May 14)
- Re: Building snort Jon Urionaguena (May 14)
- Re: Building snort Todd Wease (May 14)
- Re: Building snort Jon Urionaguena (May 14)
- Re: Building snort Jon Urionaguena (May 14)
- Re: Building snort Todd Wease (May 14)