From ballester.david at gmail.com Mon Nov 24 05:42:39 2008 From: ballester.david at gmail.com (David Ballester) Date: Mon, 24 Nov 2008 11:42:39 +0100 Subject: [Snortsam-discussion] undefined reference to `AlertFWsamSetup' snort 2.7.0 ubuntu 8.10 Message-ID: <1227523359.7322.29.camel@nebuchaddnezzar> Hi to all: I'm trying to patch snort to be able to use snortsam without success my environment: x86 snort 2.7.0 debian package. All deps and source code package installed downloaded snortsam package for 2.6.0/2.7.0 wget http://www.snortsam.net/files/snortsam/snortsam-src-2.60.tar.gz snort source + debian/ubuntu patches availabe: root at snort:~/snort-2.7.0# ls -lrt total 2020 -rwxr-xr-x 1 root root 5584 2000-08-07 04:41 install-sh -rwxr-xr-x 1 root root 676 2003-10-20 17:03 mkinstalldirs -rwxr-xr-x 1 root root 1770 2005-05-05 22:01 verstuff.pl -rw-r--r-- 1 root root 420 2005-08-12 22:22 Makefile.am -rw-r--r-- 1 root root 198422 2006-07-13 09:12 ltmain.sh -rw-r--r-- 1 root root 869 2007-07-03 19:38 RELEASE.NOTES -rw-r--r-- 1 root root 20997 2007-07-03 22:41 COPYING -rwxr-xr-x 1 root root 8923 2007-07-03 22:41 missing -rw-r--r-- 1 root root 21003 2007-07-03 22:41 LICENSE -rw-r--r-- 1 root root 307511 2007-07-06 17:32 ChangeLog -rw-r--r-- 1 root root 263773 2007-07-16 14:12 aclocal.m4 -rw-r--r-- 1 root root 4942 2007-07-16 14:12 config.h.in -rwxr-xr-x 1 root root 15936 2007-07-16 14:12 depcomp -rw-r--r-- 1 root root 21958 2007-07-16 14:12 Makefile.in drwxr-xr-x 2 root root 4096 2007-07-18 22:16 templates drwxr-xr-x 2 root root 4096 2007-07-18 22:16 contrib drwxr-xr-x 2 root root 4096 2007-07-18 22:16 schemas drwxr-xr-x 2 root root 4096 2007-07-18 22:16 rpm drwxr-xr-x 2 root root 4096 2007-07-18 22:16 m4 -rw-r--r-- 1 root root 25224 2008-11-21 16:40 snort.8 -rw-r--r-- 1 root root 4925 2008-11-21 16:40 RELEASE.NOTES.2.6 -rw-r--r-- 1 root root 6278 2008-11-21 16:40 RELEASE.NOTES.2.4 -rw-r--r-- 1 root root 5553 2008-11-21 16:40 RELEASE.NOTES.2.3 -rw-r--r-- 1 root root 38334 2008-11-21 16:40 configure.in -rwxr-xr-x 1 root root 908570 2008-11-21 16:40 configure -rwxr-xr-x 1 root root 32724 2008-11-21 16:40 config.sub -rwxr-xr-x 1 root root 44593 2008-11-21 16:40 config.guess drwxr-xr-x 2 root root 12288 2008-11-21 16:40 rules drwxr-xr-x 2 root root 4096 2008-11-21 16:40 etc drwxr-xr-x 3 root root 4096 2008-11-21 16:40 doc drwxr-xr-x 4 root root 12288 2008-11-21 16:40 debian drwxr-xr-x 11 root root 4096 2008-11-21 17:07 src root at snort:~/snort-2.7.0# After apply the patch root at snort:~# ./patchsnort.sh snort-2.7.0 Patching Snort version 2.x... patching file spo_alert_fwsam.c patching file spo_alert_fwsam.h patching file twofish.c patching file twofish.h patching file plugbase.c Hunk #1 succeeded at 115 with fuzz 2 (offset 5 lines). Hunk #2 succeeded at 814 with fuzz 2 (offset 239 lines). patching file plugin_enum.h Hunk #1 succeeded at 31 (offset 21 lines). Patching Makefiles... Done root at snort:~# I try to re build the package ( includes the config & make procedures ) root at snort:~/snort-2.7.0# dpkg-buildpackage -rfakeroot -b (...) plugbase.o: In function `InitOutputPlugins': /home/operador/snort-2.7.0/src/plugbase.c:817: undefined reference to `AlertFWsamSetup' collect2: ld returned 1 exit status make[4]: *** [snort] Error 1 make[4]: Leaving directory `/home/operador/snort-2.7.0/src' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/operador/snort-2.7.0/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/operador/snort-2.7.0' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/operador/snort-2.7.0' make: *** [build-basic-stamp] Error 2 dpkg-buildpackage: failure: fakeroot debian/rules binary gave error exit status 2 root at snort:~/snort-2.7.0# If I try to repatch again, patchsnort claims that the patch is yet applied ( as expected ) root at snort:~# ./patchsnort.sh snort-2.7.0 SnortSam patch already applied in 'snort-2.7.0'! root at snort:~# Any tip? Thanks D. From jonkman at jonkmans.com Mon Nov 24 08:33:31 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 24 Nov 2008 08:33:31 -0500 Subject: [Snortsam-discussion] undefined reference to `AlertFWsamSetup' snort 2.7.0 ubuntu 8.10 In-Reply-To: <1227523359.7322.29.camel@nebuchaddnezzar> References: <1227523359.7322.29.camel@nebuchaddnezzar> Message-ID: <492AAD2B.80806@jonkmans.com> Why are you patching 2.7 first of all? I'd recommend trying a current version. You'll enjoy much better results overall I suspect. Matt David Ballester wrote: > Hi to all: > > I'm trying to patch snort to be able to use snortsam without success > > > my environment: > > x86 > snort 2.7.0 debian package. All deps and source code package installed > > > downloaded snortsam package for 2.6.0/2.7.0 > > > wget http://www.snortsam.net/files/snortsam/snortsam-src-2.60.tar.gz > > > snort source + debian/ubuntu patches availabe: > > > root at snort:~/snort-2.7.0# ls -lrt > total 2020 > -rwxr-xr-x 1 root root 5584 2000-08-07 04:41 install-sh > -rwxr-xr-x 1 root root 676 2003-10-20 17:03 mkinstalldirs > -rwxr-xr-x 1 root root 1770 2005-05-05 22:01 verstuff.pl > -rw-r--r-- 1 root root 420 2005-08-12 22:22 Makefile.am > -rw-r--r-- 1 root root 198422 2006-07-13 09:12 ltmain.sh > -rw-r--r-- 1 root root 869 2007-07-03 19:38 RELEASE.NOTES > -rw-r--r-- 1 root root 20997 2007-07-03 22:41 COPYING > -rwxr-xr-x 1 root root 8923 2007-07-03 22:41 missing > -rw-r--r-- 1 root root 21003 2007-07-03 22:41 LICENSE > -rw-r--r-- 1 root root 307511 2007-07-06 17:32 ChangeLog > -rw-r--r-- 1 root root 263773 2007-07-16 14:12 aclocal.m4 > -rw-r--r-- 1 root root 4942 2007-07-16 14:12 config.h.in > -rwxr-xr-x 1 root root 15936 2007-07-16 14:12 depcomp > -rw-r--r-- 1 root root 21958 2007-07-16 14:12 Makefile.in > drwxr-xr-x 2 root root 4096 2007-07-18 22:16 templates > drwxr-xr-x 2 root root 4096 2007-07-18 22:16 contrib > drwxr-xr-x 2 root root 4096 2007-07-18 22:16 schemas > drwxr-xr-x 2 root root 4096 2007-07-18 22:16 rpm > drwxr-xr-x 2 root root 4096 2007-07-18 22:16 m4 > -rw-r--r-- 1 root root 25224 2008-11-21 16:40 snort.8 > -rw-r--r-- 1 root root 4925 2008-11-21 16:40 RELEASE.NOTES.2.6 > -rw-r--r-- 1 root root 6278 2008-11-21 16:40 RELEASE.NOTES.2.4 > -rw-r--r-- 1 root root 5553 2008-11-21 16:40 RELEASE.NOTES.2.3 > -rw-r--r-- 1 root root 38334 2008-11-21 16:40 configure.in > -rwxr-xr-x 1 root root 908570 2008-11-21 16:40 configure > -rwxr-xr-x 1 root root 32724 2008-11-21 16:40 config.sub > -rwxr-xr-x 1 root root 44593 2008-11-21 16:40 config.guess > drwxr-xr-x 2 root root 12288 2008-11-21 16:40 rules > drwxr-xr-x 2 root root 4096 2008-11-21 16:40 etc > drwxr-xr-x 3 root root 4096 2008-11-21 16:40 doc > drwxr-xr-x 4 root root 12288 2008-11-21 16:40 debian > drwxr-xr-x 11 root root 4096 2008-11-21 17:07 src > root at snort:~/snort-2.7.0# > > > > After apply the patch > > > root at snort:~# ./patchsnort.sh snort-2.7.0 > Patching Snort version 2.x... > patching file spo_alert_fwsam.c > patching file spo_alert_fwsam.h > patching file twofish.c > patching file twofish.h > patching file plugbase.c > Hunk #1 succeeded at 115 with fuzz 2 (offset 5 lines). > Hunk #2 succeeded at 814 with fuzz 2 (offset 239 lines). > patching file plugin_enum.h > Hunk #1 succeeded at 31 (offset 21 lines). > Patching Makefiles... > Done > root at snort:~# > > > I try to re build the package ( includes the config & make procedures ) > > > root at snort:~/snort-2.7.0# dpkg-buildpackage -rfakeroot -b > (...) > plugbase.o: In function `InitOutputPlugins': > /home/operador/snort-2.7.0/src/plugbase.c:817: undefined reference to > `AlertFWsamSetup' > collect2: ld returned 1 exit status > make[4]: *** [snort] Error 1 > make[4]: Leaving directory `/home/operador/snort-2.7.0/src' > make[3]: *** [all-recursive] Error 1 > make[3]: Leaving directory `/home/operador/snort-2.7.0/src' > make[2]: *** [all-recursive] Error 1 > make[2]: Leaving directory `/home/operador/snort-2.7.0' > make[1]: *** [all] Error 2 > make[1]: Leaving directory `/home/operador/snort-2.7.0' > make: *** [build-basic-stamp] Error 2 > dpkg-buildpackage: failure: fakeroot debian/rules binary gave error exit > status 2 > root at snort:~/snort-2.7.0# > > If I try to repatch again, patchsnort claims that the patch is yet > applied ( as expected ) > > root at snort:~# ./patchsnort.sh snort-2.7.0 > SnortSam patch already applied in 'snort-2.7.0'! > root at snort:~# > > > > > Any tip? > > > Thanks > > > > D. > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From ballester.david at gmail.com Mon Nov 24 10:00:43 2008 From: ballester.david at gmail.com (David Ballester) Date: Mon, 24 Nov 2008 16:00:43 +0100 Subject: [Snortsam-discussion] undefined reference to `AlertFWsamSetup' snort 2.7.0 ubuntu 8.10 In-Reply-To: <492AAD2B.80806@jonkmans.com> References: <1227523359.7322.29.camel@nebuchaddnezzar> <492AAD2B.80806@jonkmans.com> Message-ID: <6a29f8b0811240700o43c6a7a5k13b2548b8f2e6b9b@mail.gmail.com> 2008/11/24 Matt Jonkman > Why are you patching 2.7 first of all? > > I'd recommend trying a current version. You'll enjoy much better results > overall I suspect. > > Matt > > Thanks Matt I'm sure, but 2.7.0 is the packaged snort version that comes with ubuntu 8.10. I'm thinking seriously in install from latest stable sources, but I'll need to know all config options that makes sense in my environment. Meanwhile, do you have any idea why is failing the patch application? Regards D. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20081124/777f281a/attachment.html From jonkman at jonkmans.com Mon Nov 24 10:13:32 2008 From: jonkman at jonkmans.com (Matt Jonkman) Date: Mon, 24 Nov 2008 10:13:32 -0500 Subject: [Snortsam-discussion] undefined reference to `AlertFWsamSetup' snort 2.7.0 ubuntu 8.10 In-Reply-To: <6a29f8b0811240700o43c6a7a5k13b2548b8f2e6b9b@mail.gmail.com> References: <1227523359.7322.29.camel@nebuchaddnezzar> <492AAD2B.80806@jonkmans.com> <6a29f8b0811240700o43c6a7a5k13b2548b8f2e6b9b@mail.gmail.com> Message-ID: <492AC49C.9010006@jonkmans.com> Which patch are you using? Did you pull snort from cvs? Did you autojunk.sh and all? regardless though, 2.7 is quite old. You'll have a lot of rules that won't work on it. Going to current is quite easy to do. Highly recommend it. Matt David Ballester wrote: > > > 2008/11/24 Matt Jonkman > > > Why are you patching 2.7 first of all? > > I'd recommend trying a current version. You'll enjoy much better results > overall I suspect. > > Matt > > > Thanks Matt > > > I'm sure, but 2.7.0 is the packaged snort version that comes with ubuntu > 8.10. I'm thinking seriously in install from latest stable sources, but > I'll need to know all config options that makes sense in my environment. > > Meanwhile, do you have any idea why is failing the patch application? > > > Regards > > D. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From luismarichal at gmail.com Wed Nov 26 11:29:32 2008 From: luismarichal at gmail.com (Luis Marichal) Date: Wed, 26 Nov 2008 21:29:32 +0500 Subject: [Snortsam-discussion] I modified the code of de plugins of Iptables and ..... Message-ID: <29acea7f0811260829i1a254ea0k17a8fe2c350adbf4@mail.gmail.com> hi everybody: I just make some changes in the plugings of iptables in the snortsam code. Now can block in all way.... in out **this **both Who can analize this changes and determine if are goods...... Tell me for upload this code please.... Sorry for my english, now i am hurry. And I am from cuban...... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20081126/d2de4ad2/attachment.html From frank at snortsam.net Sun Nov 30 17:58:28 2008 From: frank at snortsam.net (Frank Knobbe) Date: Sun, 30 Nov 2008 16:58:28 -0600 Subject: [Snortsam-discussion] I modified the code of de plugins of Iptables and ..... In-Reply-To: <29acea7f0811260829i1a254ea0k17a8fe2c350adbf4@mail.gmail.com> References: <29acea7f0811260829i1a254ea0k17a8fe2c350adbf4@mail.gmail.com> Message-ID: <1228085908.2047.5.camel@localhost> On Wed, 2008-11-26 at 21:29 +0500, Luis Marichal wrote: > I just make some changes in the plugings of iptables in the snortsam > code. Now can block in all way.... > > in > out > **this > **both > > Who can analize this changes and determine if are goods...... > Tell me for upload this code please.... Hi Luis, I'm getting ready to commit some updates to Snortsam shortly. Please email me your patches, or updated versions of ssp_iptables.*, and I'll add them to the next update. Thanks, Frank