Snort mailing list archives
Re: daq/snort 2.9.0 on Solaris sparc ?
From: Steven Sturges <steve.sturges () sourcefire com>
Date: Wed, 06 Oct 2010 17:21:20 -0400
Hi Luis-- For the ftp_telnet/http question, another thing is to double check that there are no extraneous line-continuation markers in either the http or ftp config lines. It almost sounds like the http config is still being parsed when it gets to the ftp lines. Cheers -steve On 10/6/2010 3:03 PM, Russ Combs wrote:
On Wed, Oct 6, 2010 at 1:24 PM, Luis <luis.mlists () gmail com> wrote:howdy, two questions about snort 2.9.0 on sparc. one on daq and another on an odd behavior of http_inspect and ftp_telnet configuration.. the first, about daq 0.2 compilation was about some errors like the following (see email thread below for complete list). In file included from sf_gencode.c:87: sll.h:86: error: syntax error before "u_int16_t" sll.h:86: warning: no semicolon at end of struct or union sll.h:87: warning: type defaults to `int' in declaration of `sll_hatype' sll.h:87: error: ISO C forbids data definition with no type or storage class Was finally able to compile by removing the following lines in sfbpf/sll.h $ diff sll.h sll.h.orig 82,83c82,93 < #define SLL_HDR_LEN 16 /* total header length */ < #define SLL_ADDRLEN 8 /* length of address field */ ---#define SLL_HDR_LEN 16 /* total header length */ #define SLL_ADDRLEN 8 /* length of address field */ struct sll_header { u_int16_t sll_pkttype; /* packet type */ u_int16_t sll_hatype; /* link-layer address type */ u_int16_t sll_halen; /* link-layer address length */ u_int8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */ u_int16_t sll_protocol; /* protocol */ };Thanks for reporting this. We'll look into it.2nd question. Are the http_inspect and ftp_telnet preprocesors related in any way? It seems that the configuration parsing may be mixing them up? (or it may just be my configuration?).No - at least the shouldn't be. It sounds like maybe you have an old ftp so registering as http? Definitely weird. Did you uninstall the old dynamic preprocessors first? Have you tried changing the order of preprocessor configs in your conf (http, ftp and then ftp, http)?When I enable ftp_telnet global, with the following on the conf file: preprocessor ftp_telnet: global inspection_type stateful check_encrypted encrypted_traffic no I get the following error: ERROR: snort.conf(236) => Stateful HttpInspect processing is not yet available. Please use stateless processing for now. Fatal Error, Quitting.. why would the ftp_telnet configuration error with 'HttpInspect' . if I set the ftp_telnet inspection to stateless, I get the following error: ERROR: snort.conf(238) => Global configuration must contain an IIS Unicode Map configuration. Use token 'iis_unicode_map'. Fatal Error, Quitting.. Once again this error seems to be from http_inspect (as that directive is set in that preproc) If I completely remove (comment out) all ftp_telnet lines (global, server and protocol), then snort starts up fine.. am I missing something here? here's my snort version: $ ../bin/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.0 IPv6 GRE (Build 68) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using PCRE version: 7.0 18-Dec-2006 Using ZLIB version: 1.2.3 sections from snort.conf. (ftp_telnet is commented out, as it is the only way snort will start).. ... # HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 \ compress_depth 20480 decompress_depth 20480 preprocessor http_inspect_server: server default \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ ports { 80 311 591 593 901 1220 1414 2301 2381 2809 3128 3702 7777 7779 8000 8008 8028 8080 8118 8123 8180 8243 828 0 8888 9443 9999 11371 } \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ apache_whitespace no \ ascii no \ bare_byte no \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ non_strict \ u_encode yes \ webroot no ... #preprocessor ftp_telnet: global inspection_type stateful check_encrypted encrypted_traffic no #preprocessor ftp_telnet: global inspection_type stateless #preprocessor ftp_telnet_protocol: telnet \ # ayt_attack_thresh 20 \ # normalize ports { 23 } \ # detect_anomalies #preprocessor ftp_telnet_protocol: ftp server default \ # def_max_param_len 100 \ # ports { 21 2100 3535 } \ # telnet_cmds yes \ # ignore_telnet_erase_cmds yes \ # ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ # ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ # ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ # ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \ # ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ # ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ # ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ # ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ # ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ # ftp_cmds { XSEN XSHA1 XSHA256 } \ # alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ # alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ # alt_max_param_len 256 { CWD RNTO } \ # alt_max_param_len 400 { PORT } \ # alt_max_param_len 512 { SIZE } \ # chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ # chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ # chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ # chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ # chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ # chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ # chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ # chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ # cmd_validity ALLO < int [ char R int ] > \ # cmd_validity EPSV < { char 12|string } > \ # cmd_validity MACB < string > \ # cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ # cmd_validity MODE < char ASBCZ > \ # cmd_validity PORT < host_port > \ # cmd_validity PROT < char CSEP > \ # cmd_validity STRU < char FRPO [ string ] > \ # cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > #preprocessor ftp_telnet_protocol: ftp client default \ # max_resp_len 256 \ # bounce yes \ # ignore_telnet_erase_cmds yes \ # telnet_cmds yes Thanks, Luis ---------- Forwarded message ---------- From: Luis <luis.mlists () gmail com> Date: Wed, Oct 6, 2010 at 11:26 AM Subject: Re: [Snort-users] Fwd: daq/snort 2.9.0 on Solaris sparc ? To: Joel Esler <jesler () sourcefire com> Thanks, will try there, sorry for the noise :) On Wed, Oct 6, 2010 at 11:20 AM, Joel Esler <jesler () sourcefire com> wrote:The DAQ developers *are* on this list, however, the best bet for these type of things is snort-devel. Thanks. Joel On Oct 6, 2010, at 11:03 AM, Luis wrote: sent this yesterday to snort-beta... trying snort-users to see if anyone has had any luck.. (see below) Luis ---------- Forwarded message ---------- From: Luis <luis.mlists () gmail com> Date: Tue, Oct 5, 2010 at 2:05 PM Subject: daq/snort 2.9.0 on Solaris sparc ? To: snort-beta () sourcefire com howdy: does anyone know if the 2.9.0 snort can be compiled in Solaris (sparc?). I'm currently stuck trying to compile the daq 0.2. it errors at the following: In file included from sf_gencode.c:87: sll.h:86: error: syntax error before "u_int16_t" sll.h:86: warning: no semicolon at end of struct or union sll.h:87: warning: type defaults to `int' in declaration of `sll_hatype' sll.h:87: error: ISO C forbids data definition with no type or storage class sll.h:88: error: syntax error before "sll_halen" sll.h:88: warning: type defaults to `int' in declaration of `sll_halen' sll.h:88: error: ISO C forbids data definition with no type or storage class sll.h:89: error: syntax error before "sll_addr" sll.h:89: warning: type defaults to `int' in declaration of `sll_addr' sll.h:89: error: ISO C forbids data definition with no type or storage class sll.h:90: error: syntax error before "sll_protocol" sll.h:90: warning: type defaults to `int' in declaration of `sll_protocol' sll.h:90: error: ISO C forbids data definition with no type or storage class sll.h:91: warning: ISO C does not allow extra `;' outside of a function *** Error code 1 any help would be appreciated. Thanks Luis ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Fwd: daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)
- Re: Fwd: daq/snort 2.9.0 on Solaris sparc ? Joel Esler (Oct 06)
- Message not available
- Message not available
- daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)
- Re: daq/snort 2.9.0 on Solaris sparc ? Russ Combs (Oct 06)
- Re: daq/snort 2.9.0 on Solaris sparc ? Steven Sturges (Oct 06)
- Message not available
- Fwd: daq/snort 2.9.0 on Solaris sparc ? Luis (Oct 06)
- Message not available
- Re: Fwd: daq/snort 2.9.0 on Solaris sparc ? Joel Esler (Oct 06)