[Snortsam-discussion] Snortsam Password mismatch! error

Tue May 6 16:16:00 EDT 2008

Thank you Mark.

That gives me a definitive answer I have been unable to Google.

Mark Clift wrote:
> I believe your problem is due to the x64 environment. The encryption
> routines are not compatible with x64 and that would cause the password
> problems you are describing.
>
> Frank had this to say a few weeks ago in this list
>
> " The Snort->Snortsam communication does not function properly on 64-bit
> systems. This is a known issue, but not easily fixed. The problem is in
> the TwoFish encryption routines which only work on 32-bit systems. I
> looked at it briefly a couple years back and it doesn't look like there
> is an easy fix for it. 
>
> So, currently you are limited to running Snort/Snortsam in a 32-bit
> environment.
>
> Regards,
> Frank "
>
>
> And this which includes a possible work around:
>
>
> " The problem that Snortsams TwoFish code doesn't work on 64-bit systems
> is probably that it was derived from other code. I have not tested, nor
> seen, the original Java-based Trustix code. Folks from Farm9 converted
> it from Java to C++, and I converted it their code to C. Somewhere along
> those lines modifications may have taken place that assumed that the CPU
> is 32 bit. There is a fair-amount of bit-shifting going on which assumes
> 32-bit. The implementation just doesn't work on 64-bit due the shifting.
>
> I looked over it at some time to see if there was an easy location to
> quickly pinpoint that might be the cause for the failures, but couldn't
> find any. Someone with time on their hands, and a 64-bit system, is
> welcome to debug the TwoFish code to see where the problem might be.
>
> Until then, you can probable hack the functions that Snortsam calls such
> that they don't encrypt/decrypt at all, and just pass the data on
> unmodified. You'll loose encryption on the wire, but at least you could
> get it to run on 64-bit.
>
> When Snortsam assembles/disassembles its packets, there's also
> bit-shifting going on, but I think that should work fine. (Again, since
> I don't have a 64-bit system, I can't test it).
>
> An alternative approach might be to instruct your C-compiler to treat
> longs as 32 bit vars.
>
> Regards,
> Frank "
>
>
>
> Best Regards,
>
> Mark 
>
> -----Original Message-----
> From: snortsam-discussion-bounces at snortsam.net
> [mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Keith
> Mitchell
> Sent: Tuesday, May 06, 2008 2:29 PM
> To: snortsam-discussion at snortsam.net
> Subject: [Snortsam-discussion] Snortsam Password mismatch! error
>
> Hi-
>     I've been a successful SnortSam user for about 5 years now.
>
>     Just upgraded my IDS to Snort 2.8.1 running on Fedora Core 8 kernel 
> 2.6.21.7-2.fc8xen in an x64 environment.
>
>     I've tried running Snortsam 2.55 using both a patched Snort 2.8.1 
> with the 
> http://www.snortsam.net/files/snort-2.8-plugin/snortsam-2.8.0.1.diff
> (making sure to correct the errors in the resulting .rej files) and 
> Barnyard-0.2.0 patched with 
> http://www.snortsam.net/files/barnyard-plugin/barnyard-snortsam-patch.gz
> .
>
>     Both produce the "Password mismatch! Ignoring host" error when I 
> start either the patched Snort or the patched Barnyard.
>
>     I've tried changing the password in the snortsam.conf / snort.conf /
>
> barnyard.conf files (making sure they match in all places), but am 
> unable to get either snort or barnyard to connect to snortsam.
>
>     Is there anything I can try by way of troubleshooting to resolve the
>
> situation?
>
> Keith Mitchell
> CTO
> Productivity Associates, Inc.
> keithm at gotopai.com
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
> DISCLAIMER:
> This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. 
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
>   