headers
Luis | 9 Feb 21:43
Picon
Gravatar

Initial Patches to compile snort 2.9.2 in Solaris

Hi all:

following on this thread, I attempted to make a 'patch' to compile snort 2.9.2 on Solaris (Sparc).   attached.

did a brief test of uncompressing the original tar file, applying the patch, configure and gmake.  it seems to work. (had to exclude the Makefiles and other files that get changed by the build process.   also, I did not compile with --enable-ipv6 by the way. (not yet)...

also, to compile the daq, here's a patch (also attached) of a small config change made to compile daq-0.6.2 as well..


again, hope it helps someone.. :)


Luis


On Thu, Feb 2, 2012 at 10:04 AM, Luis <luis.mlists <at> gmail.com> wrote:
Yes, I concur with your opinions, but I haven't quite given up yet.. :)

snort used to compile cleanly up to version 2.8, but since 2.9, it has had many issues that apparently have not been solved yet.   not sure if that is because there are very few people running on solaris, or  like the link posted, people just fix their problems but don't ask to make the changes incorporated into the snort build.

I've got snort 2.9.2 running on sparc on a test system and am going through 'tuning' the new features right now...

the problem is not only with snort, by the way, barnyard2 also has it's issues (sent an email to the barnyard2 list, but haven't gotten any feedback yet).  so until I can get it compiled, i'm still using old, crusty barnyard  which seems to do the job.

unfortunately, going away from sparc/solaris is not an option for us at this time, so we'll keep on trying...

:-)

Thanks for the comment.


Luis


On Tue, Jan 31, 2012 at 5:15 PM, Castle, Shane <scastle <at> bouldercounty.org> wrote:
I am not one of the Snort developers, but I have some experience and an opinion on this topic, so here goes.

I could not get earlier versions of Snort to compile correctly on Solaris. Period. If it successfully finished the make process, the resulting file(s) would not run correctly. So, I don't run Solaris any more.

YMMV but I gave up.

--
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: Luis [mailto:luis.mlists <at> gmail.com]
Sent: Tuesday, January 31, 2012 14:41
To: snort-devel <at> lists.sourceforge.net
Subject: [Snort-devel] request for changes to compile snort in Solaris

Howdy:

just went through compiling snort 2.9.2 for solaris sparc and wanted to make a request to make the necessary changes so that 'configure' will work.

as you can probably deduce, I'm no developer... googling found this link..

http://bookmarklust.blogspot.com/2011/11/snort-2912-on-solaris-10x86.html

followed the instructions (to add #include "sf_types.h" to a bunch of files..)  and it seemed to work..   compiled  and created a binary.  :-)

is there a way that this can be done with autoconf?   (configure) on solaris?


thanks.


Luis




Attachment (snort-2.9.2.solaris-trimmed.patch): application/octet-stream, 18 KiB
Attachment (daq-0.6.2.solaris.patch): application/octet-stream, 482 bytes
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 0 comments |
headers
Luis | 9 Feb 22:09
Picon
Gravatar

initial Patches for compiling snort 2.9.2 and daq 0.6.2 on solaris

howdy:

Attempted to make 'patch' files to compile snort 2.9.2 on Solaris (Sparc).   attached.

did a brief test of uncompressing the original tar file, applying the patch, configure and gmake.  it seems to work. (had to exclude the Makefiles and other files that get changed by the build process.   also, I did not compile with --enable-ipv6 by the way. (not yet)...

also, to compile the daq, here's a patch (also attached) of a small config change made to compile daq-0.6.2 as well..

Is there a way to incorporate this into the build process for snort?

Please let me know if the patches are in the right format..

I plan to also (eventually) compile on solaris x86, time permitting...


hope it helps someone.. :)


Luis

Attachment (snort-2.9.2.solaris-trimmed.patch): application/octet-stream, 18 KiB
Attachment (daq-0.6.2.solaris.patch): application/octet-stream, 482 bytes
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 1 comment |
headers
Sangwoo Moon | 7 Feb 18:30
Picon
Gravatar

Re: Multiprocessing Snort with PF_RING DAQ (DNA enabled)

Hi, thanks for your reply.

I'm transmitting TCP packet with payload 'No_attack' at random position of packet, rest of payloads are filled with null characters.
I checked performance by calling gettimeofday() at packet callback function and print the number each second.

--Sangwoo

2012-02-07 오후 5:10, 김무성 쓴 글:

I think that it’s because depend on kind of traffic.

What packet did generator send?

And how did you check performance?

 

From: Sangwoo Moon [mailto:swmoon <at> lanada.kaist.ac.kr]
Sent: Saturday, February 04, 2012 1:59 PM
To: snort-devel <at> lists.sourceforge.net
Subject: [Snort-devel] Multiprocessing Snort with PF_RING DAQ (DNA enabled)

 

Hi,

I'm Sangwoo Moon from Korea.

I'm trying to use multiple Snort processes on the top of PF_RING DAQ with DNA enabled.

I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm using Snort version 2.9.2.1.
I have Intel Xeon CPU which has 12 cores.

I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto each cores.
Then I ran 12 Snort processes like following bash script. ('-j' option in Snort is that I made it for CPU affinitization, 'snort -j 0' means run Snort process in core 0.)

==============================================

#!/bin/bash

for i in `seq 0 1 10`
do
    sudo snort -c etc/snort.conf --daq-dir=/usr/local/lib/daq/ --daq pfring -i dna2 <at> $i -j $i > out/snort_$i.out &
done
sudo snort -c etc/snort.conf --daq-dir=/usr/local/lib/daq/ --daq pfring -i dna2 <at> 11 -j 11 > out/snort11.out

==============================================

I ran high speed packet generator on the other side with 1500 B packets, and I got some performance numbers.

Sniffing only: 1.11 Gbps total
Analyzing with HTTP rule-sets: 4.6 Gbps total

I configured sniffing mode with immediately returning packet callback function, analyzing mode with full HTTP-related rule sets.

I just don't understand why does analyzing mode is faster than sniffing mode.. Is there any mistakes or misconfigurations that I made?

I'll be waiting for your response.

Thanks and best regards,
--Sangwoo Moon



-- -Sangwoo 
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 4 comments |
headers
Sangwoo Moon | 4 Feb 05:58
Picon
Gravatar

Multiprocessing Snort with PF_RING DAQ (DNA enabled)

Hi,

I'm Sangwoo Moon from Korea.

I'm trying to use multiple Snort processes on the top of PF_RING DAQ with DNA enabled.

I'm using Intel 82599EB 10-Gigabit NIC for packet reception, and I'm using Snort version 2.9.2.1.
I have Intel Xeon CPU which has 12 cores.

I loaded DNA driver (ixgbe-3.6.7-DNA) and affinitized each IRQs onto each cores.
Then I ran 12 Snort processes like following bash script. ('-j' option in Snort is that I made it for CPU affinitization, 'snort -j 0' means run Snort process in core 0.)

==============================================

#!/bin/bash

for i in `seq 0 1 10`
do
    sudo snort -c etc/snort.conf --daq-dir=/usr/local/lib/daq/ --daq pfring -i dna2 <at> $i -j $i > out/snort_$i.out &
done
sudo snort -c etc/snort.conf --daq-dir=/usr/local/lib/daq/ --daq pfring -i dna2 <at> 11 -j 11 > out/snort11.out

==============================================

I ran high speed packet generator on the other side with 1500 B packets, and I got some performance numbers.

Sniffing only: 1.11 Gbps total
Analyzing with HTTP rule-sets: 4.6 Gbps total

I configured sniffing mode with immediately returning packet callback function, analyzing mode with full HTTP-related rule sets.

I just don't understand why does analyzing mode is faster than sniffing mode.. Is there any mistakes or misconfigurations that I made?

I'll be waiting for your response.

Thanks and best regards,
--Sangwoo Moon 
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 0 comments |
headers
Michael R Gilliam | 2 Feb 17:45
Favicon
Gravatar

2.9.2-1 - Missing Alerts in Unified2 - Partial Alert in Unified

Has anyone expereinced an issue that occurs when having output directed to two destinations, both a unified format and unified2 format, there are partial alerts that show up in the unified file (alert, but no packet/session data) and the alert and packet/session data is completely missing out of the unified2 file?  Otherwise, for the most part (99% of the time), all alerts and packets/session data match.

running snort2.9.2-1
daq 0.6.2


snort.conf output is set up as
output unified2: filename snort.log, limit 128
output alert_unified:filename /var/log/snort/log2.alert, limit 128
output log_unified: filename /var /log/snort/log2.log, limit 128

Thanks,
Mike

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 0 comments |
headers
Martin Schütte | 2 Feb 23:24
Favicon
Gravatar

how to release a Snort IPv6 plugin?


Hello,
are there best practices to publish a Snort plugin? In particular for
getting a GID and possibly an SID range assigned? Or even to
contribute a new module to Snort?

As part of an ongoing research project I have written an IPv6 plugin
for Snort. It includes a dynamic preprocessor to track IPv6 neighbor
discovery messages, and it implements some additional rule options to
check IPv6 header fields.
The source is available at: https://github.com/mschuett/spp_ipv6

--

-- 
Martin Schütte
Permalink | Reply | 5 comments |
headers
Anju Jyothish | 2 Feb 23:21
Picon

Doubt in development

Hi,
 
I have a question. How do the packets know which DFA table to consult for pattern matching. Apparently the packet data structure does not hold any group id.
 
Thanks,
Anju
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 1 comment |
headers
romain | 31 Jan 09:36
Favicon
Gravatar

Access to the raw data of packets from SFSnortPacket structure

Hello,

I would like to develop a snort preprocessor that require access to the
raw data of a packet, as an array of bytes for example.
With this preprocessor, I have access to the SFSnortPacket structure but
I couldn't find the right field in this structure that point to the
data.
I was thinking of pkt_data but according to my tests, it does not seem
to be that.

Do you have any suggestions ?

Thanks,
Romain

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 1 comment |
headers
Luis | 31 Jan 22:41
Picon
Gravatar

request for changes to compile snort in Solaris

Howdy:

just went through compiling snort 2.9.2 for solaris sparc and wanted to make a request to make the necessary changes so that 'configure' will work.

as you can probably deduce, I'm no developer... googling found this link..

http://bookmarklust.blogspot.com/2011/11/snort-2912-on-solaris-10x86.html

followed the instructions (to add #include "sf_types.h" to a bunch of files..)  and it seemed to work..   compiled  and created a binary.  :-)

is there a way that this can be done with autoconf?   (configure) on solaris?


thanks.


Luis

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 2 comments |
headers
beenph | 23 Jan 10:53
Picon
Gravatar

Announce Unified2 Anonymiser v0.9.0b u2_anon

Greetings everyone,

I am happy to announce the beta release of u2_anon.

u2_anon is a tool that allow you to "share" anonymized unified2 file
to help debug issue or share some result
        without compromising some information. u2_anon will not modify
the unified2 file/files used at source,
        but it will create a copy of the source unified2 with
anonimized data that can be shared.

I strongly suggest that you run u2_anon on files that are not
currently being written by snort, since
it will not "spool" unified2 file like barnyard2 or other unified2
reader can do.

u2_anon has 4 different level or anonymity level:

 [-eE:] [Anonymize Event]
     - Will set source and destination IP's of EVENT to ipv4 -
"127.0.0.1" , ipv6 "::ffff:127.0.0.1"

 [-lL:] [Anonimize LinkLayer (ethernet)]
     - Will set source mac to AA:AA:AA:AA:AA:AA and dst mac to BB:BB:BB:BB:BB:BB

 [-pP:] [Anonymize Packet data]
     - Will Zero out packet payload

 [-xX:] [Anonymize Extra DATA event]
     - Will set IP information to "loopback" and extra data "data"
will be zeroed.

u2_anon can work on single file or directory containing multiple files.

Note that u2_anon is still beta and a few feature will be added along the way,
if you have comment or suggestion or bug/issues, feel free to let me know.

You can download it directly from here https://github.com/binf/u2_anon/tags

Happy unified2 anonymization!

-Eric Lauzon

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 2 comments |
headers
Zhuxian | 21 Jan 03:09
Favicon
Gravatar

For the command line option --alert-before-pass, is it deprecated or not?

Hi,

 

For the command line option --alert-before-pass, is it deprecated or not?

 

It only influence the order in snort_conf->rule_lists. But for PORT_GROUP, such as sc->prmTcpRTNX-> prmSrcPort[i], the building algorithm, and the rule matching algorithm in fpEvalHeaderSW(), the order does not take any effect. For the event selection logic in fpFinalSelectEvent() and sfeventq_action(), I also don't found any logic for this option.

 

 

Regards,

Kurt.

 

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-devel mailing list
Snort-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Permalink | Reply | 0 comments |

Gmane