From maddog2k at maddog2k.net Wed Oct 7 09:26:04 2009 From: maddog2k at maddog2k.net (Wouter de Jong) Date: Wed, 7 Oct 2009 15:26:04 +0200 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option: 'fwsam'. Message-ID: <008501ca4751$b8387030$28a95090$@net> Hi, I can't get Snort 2.8.5 (patched with the Snortsam patch) to work ... As soon as I want to load a test-rule like this : alert icmp any any -> $HOME_NET any (msg:"ICMP test"; dsize:>1400; sid:1000001; fwsam: src, 20 minutes;) I get the following : +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR: /etc/snort/rules/local.rules(7) Unknown rule option: 'fwsam'. Fatal Error, Quitting.. Snort does have Snortsam compiled in, because a 'string /usr/sbin/snort | grep -i fwsam' reveals lines like : ERROR => [Alert_FWsam](FWsamCheckOut) Funky socket error (socket)! ERROR => [Alert_FWsam](FWsamCheckOut) Could not bind socket! INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host %s. INFO => [Alert_FWsam](FWsamCheckOut) Had to use initial key! etc, etc. Am I missing something here ? Best regards, Wouter de Jong From slyguy2000 at hotmail.com Wed Oct 7 11:47:09 2009 From: slyguy2000 at hotmail.com (Rob Sly) Date: Wed, 7 Oct 2009 11:47:09 -0400 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <008501ca4751$b8387030$28a95090$@net> References: <008501ca4751$b8387030$28a95090$@net> Message-ID: You need to download the patch file from http://www.snortsam.net/download.html for the specific version of snort that you are using, and patch the sourcecode for snort, to add in snortsam. Then you need to configure and compile, and you should be able to get it working. Post back on your success or if you need further help. -------------------------------------------------- From: "Wouter de Jong" Sent: Wednesday, October 07, 2009 9:26 AM To: Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. > Hi, > > I can't get Snort 2.8.5 (patched with the Snortsam patch) to work ... > As soon as I want to load a test-rule like this : > > alert icmp any any -> $HOME_NET any (msg:"ICMP test"; dsize:>1400; > sid:1000001; fwsam: src, 20 minutes;) > > I get the following : > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > ERROR: /etc/snort/rules/local.rules(7) Unknown rule option: 'fwsam'. > Fatal Error, Quitting.. > > Snort does have Snortsam compiled in, because a 'string /usr/sbin/snort | > grep -i fwsam' reveals lines like : > > ERROR => [Alert_FWsam](FWsamCheckOut) Funky socket error (socket)! > ERROR => [Alert_FWsam](FWsamCheckOut) Could not bind socket! > INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host %s. > INFO => [Alert_FWsam](FWsamCheckOut) Had to use initial key! > > etc, etc. > > Am I missing something here ? > > Best regards, > > Wouter de Jong > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > From ohauer at gmx.de Wed Oct 7 14:22:50 2009 From: ohauer at gmx.de (Olli Hauer) Date: Wed, 07 Oct 2009 20:22:50 +0200 Subject: [Snortsam-discussion] some small ssp_pf2 enhancements Message-ID: <20091007182250.68380@gmx.net> Hi, I made some changes in ssp_pf2.c, so tables in the main pf section can be used. This can be activated with the keyword anchor=notused in snortsam.conf. See following example: -- snortsam.conf -- # no tables defined -> tables = blockin,blockout pf2 anchor=notused log=1 # keyword notused -> tables in main pf.conf section pf2 anchor=notused table=fwsam log=1 # tables inside the anchor are used pf2 anchor=snortsam table=afwsam log=1 This is tested with the samtool at - FreeBSD 7.2 i386 - FreeBSD 8.0-RC2 x64 - OpenBSD 4.5 i368 I guess no one is using OpenBSD < 4.x these days so it will be save to remove ssp_pf.c and ssp_pf.h One thing that maybe documented is the strange thing to add an '_' to the table names and the defauls are block(in|out). /* save tablenames */ snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_in", options[PF2_OPT_TABLE].v.value_s); Regards, olli hauer Index: src/ssp_pf2.c =================================================================== RCS file: /cvsroot/snortsam/snortsam/src/ssp_pf2.c,v retrieving revision 3.1 diff -u -r3.1 ssp_pf2.c --- src/ssp_pf2.c 14 Apr 2009 18:50:45 -0000 3.1 +++ src/ssp_pf2.c 7 Oct 2009 17:10:42 -0000 @@ -47,6 +47,7 @@ #include "snortsam.h" #include "ssp_pf2.h" +unsigned int use_anchor = TRUE; /* Routine for opt parsing ( opt=value opt2=value2 etc. ) */ int parse_opts(char *line, opt_pf2 *opt, char *sep, char *int_sep, int nopt) @@ -138,6 +139,9 @@ else { safecopy(pfp->anchorname, options[PF2_OPT_ANCHOR].v.value_s); /* save anchorname */ + /* if use_anchor = FALSE then tables from the main pf section will be used */ + if (strncmp(options[PF2_OPT_ANCHOR].v.value_s, "notused", MAX_OPT_NAME)==0) + use_anchor = FALSE; } /* Check Table */ @@ -258,7 +262,10 @@ bzero(&io, sizeof(io)); strlcpy(io.pfrio_table.pfrt_name, table, sizeof(io.pfrio_table.pfrt_name)); - strlcpy(io.pfrio_table.pfrt_anchor, anchor, sizeof(io.pfrio_table.pfrt_anchor)); + + if (use_anchor == TRUE) + strlcpy(io.pfrio_table.pfrt_anchor, anchor, + sizeof(io.pfrio_table.pfrt_anchor)); io.pfrio_buffer = &addr; io.pfrio_esize = sizeof(addr); io.pfrio_size = 1; @@ -287,6 +294,10 @@ logmessage(3, msg, "pf2", 0); return (-1); } +#ifdef FWSAMDEBUG + printf("[DEBUG ] %s %s %s table %s , anchor: %s\n", + add ? "add" : "remove", ipsrc, add ? "to" : "from", table, anchor); +#endif return (0); } -- GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 From maddog2k at maddog2k.net Thu Oct 8 04:52:08 2009 From: maddog2k at maddog2k.net (Wouter de Jong) Date: Thu, 8 Oct 2009 10:52:08 +0200 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: References: <008501ca4751$b8387030$28a95090$@net> Message-ID: <008801ca47f4$9f8498e0$de8dcaa0$@net> Hi Rob, This is exactly what I did... That's why I posted the 'strings /usr/sbin/snort | grep -i fwsam' output as 'proof', cause I knew I'd get a reaction like yours, but apparently it was still not clear :)) In the mean time, I've downgraded to Snort 2.8.4.1, build it in exact the same way as 2.8.5 but with the 2.8.4.1 snortsam-patch and that works ok. So there seems to be something wrong with the patch for 2.8.5 ... Best regards, Wouter -----Original Message----- From: snortsam-discussion-bounces at snortsam.net [mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Rob Sly Sent: Wednesday, October 07, 2009 17:47 To: snortsam-discussion at snortsam.net Subject: Re: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. You need to download the patch file from http://www.snortsam.net/download.html for the specific version of snort that you are using, and patch the sourcecode for snort, to add in snortsam. Then you need to configure and compile, and you should be able to get it working. Post back on your success or if you need further help. -------------------------------------------------- From: "Wouter de Jong" Sent: Wednesday, October 07, 2009 9:26 AM To: Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. > Hi, > > I can't get Snort 2.8.5 (patched with the Snortsam patch) to work ... > As soon as I want to load a test-rule like this : > > alert icmp any any -> $HOME_NET any (msg:"ICMP test"; dsize:>1400; > sid:1000001; fwsam: src, 20 minutes;) > > I get the following : > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > Initializing rule chains... > ERROR: /etc/snort/rules/local.rules(7) Unknown rule option: 'fwsam'. > Fatal Error, Quitting.. > > Snort does have Snortsam compiled in, because a 'string /usr/sbin/snort | > grep -i fwsam' reveals lines like : > > ERROR => [Alert_FWsam](FWsamCheckOut) Funky socket error (socket)! > ERROR => [Alert_FWsam](FWsamCheckOut) Could not bind socket! > INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host %s. > INFO => [Alert_FWsam](FWsamCheckOut) Had to use initial key! > > etc, etc. > > Am I missing something here ? > > Best regards, > > Wouter de Jong > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > _______________________________________________ Snortsam-discussion mailing list Snortsam-discussion at snortsam.net http://lists.snortsam.net/mailman/listinfo/snortsam-discussion From skysbsb at gmail.com Thu Oct 8 08:19:13 2009 From: skysbsb at gmail.com (David Gomes) Date: Thu, 8 Oct 2009 09:19:13 -0300 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <008801ca47f4$9f8498e0$de8dcaa0$@net> References: <008501ca4751$b8387030$28a95090$@net> <008801ca47f4$9f8498e0$de8dcaa0$@net> Message-ID: Yes, there is something wrong, i have tried the same thing that u just do now before, and get into the same error. The patch for 2.8.5 in the snortsam site, is not really for 2.8.5, but for 2.8.4.1 like u see in the header of the file: diff -ruN snort-2.8.4.1.orig/autojunk.sh snort-2.8.4.1/autojunk.sh --- snort-2.8.4.1.orig/autojunk.sh 1970-01-01 03:30:00.000000000 +0330 +++ snort-2.8.4.1/autojunk.sh 2009-06-23 16:40:44.000000000 +0430 Is just the same 2.8.4.1 patch. I think the snortsam team has not release the 2.8.5 patch yet. On Thu, Oct 8, 2009 at 5:52 AM, Wouter de Jong wrote: > Hi Rob, > > This is exactly what I did... > That's why I posted the 'strings /usr/sbin/snort | grep -i fwsam' output as > 'proof', > cause I knew I'd get a reaction like yours, but apparently it was still not > clear :)) > > In the mean time, I've downgraded to Snort 2.8.4.1, > build it in exact the same way as 2.8.5 but with the 2.8.4.1 snortsam-patch > and that works ok. > > So there seems to be something wrong with the patch for 2.8.5 ... > > Best regards, > > Wouter > > > -----Original Message----- > From: snortsam-discussion-bounces at snortsam.net > [mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Rob Sly > Sent: Wednesday, October 07, 2009 17:47 > To: snortsam-discussion at snortsam.net > Subject: Re: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule > option:'fwsam'. > > You need to download the patch file from > http://www.snortsam.net/download.html for the specific version of snort > that > > you are using, and patch the sourcecode for snort, to add in snortsam. > Then > > you need to configure and compile, and you should be able to get it > working. > > Post back on your success or if you need further help. > > -------------------------------------------------- > From: "Wouter de Jong" > Sent: Wednesday, October 07, 2009 9:26 AM > To: > Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule > option:'fwsam'. > > > Hi, > > > > I can't get Snort 2.8.5 (patched with the Snortsam patch) to work ... > > As soon as I want to load a test-rule like this : > > > > alert icmp any any -> $HOME_NET any (msg:"ICMP test"; dsize:>1400; > > sid:1000001; fwsam: src, 20 minutes;) > > > > I get the following : > > > > +++++++++++++++++++++++++++++++++++++++++++++++++++ > > Initializing rule chains... > > ERROR: /etc/snort/rules/local.rules(7) Unknown rule option: 'fwsam'. > > Fatal Error, Quitting.. > > > > Snort does have Snortsam compiled in, because a 'string /usr/sbin/snort | > > grep -i fwsam' reveals lines like : > > > > ERROR => [Alert_FWsam](FWsamCheckOut) Funky socket error (socket)! > > ERROR => [Alert_FWsam](FWsamCheckOut) Could not bind socket! > > INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host %s. > > INFO => [Alert_FWsam](FWsamCheckOut) Had to use initial key! > > > > etc, etc. > > > > Am I missing something here ? > > > > Best regards, > > > > Wouter de Jong > > > > _______________________________________________ > > Snortsam-discussion mailing list > > Snortsam-discussion at snortsam.net > > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091008/a36b5846/attachment.html From frank at snortsam.net Thu Oct 8 17:07:38 2009 From: frank at snortsam.net (Frank Knobbe) Date: Thu, 08 Oct 2009 16:07:38 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: References: <008501ca4751$b8387030$28a95090$@net> <008801ca47f4$9f8498e0$de8dcaa0$@net> Message-ID: <1255036058.49663.174.camel@localhost> On Thu, 2009-10-08 at 09:19 -0300, David Gomes wrote: > Is just the same 2.8.4.1 patch. I think the snortsam team has not > release the 2.8.5 patch yet. Well, there really is no Snortsam team :) It's guys like you submitting patches to keep Snortsam running. The 2.8.5 patch was submitted by Luis Daniel Lucio Quiroz. He tried to get the plugin to work with 2.8.5. Looks like it is not registering the rule option with Snort properly. I'm pretty slammed at work at the moment and just don't have the time to investigate. If someone finds a solution, please let me know. in the meantime, I'll pull the 2.8.5 patch to avoid confusion. Thanks, Frank From frank at snortsam.net Thu Oct 8 17:11:00 2009 From: frank at snortsam.net (Frank Knobbe) Date: Thu, 08 Oct 2009 16:11:00 -0500 Subject: [Snortsam-discussion] some small ssp_pf2 enhancements In-Reply-To: <20091007182250.68380@gmx.net> References: <20091007182250.68380@gmx.net> Message-ID: <1255036260.49663.178.camel@localhost> On Wed, 2009-10-07 at 20:22 +0200, Olli Hauer wrote: > I made some changes in ssp_pf2.c, so tables in the main pf section > can be used. This can be activated with the keyword anchor=notused > in snortsam.conf. [...] > I guess no one is using OpenBSD < 4.x these days so it will be save to > remove ssp_pf.c and ssp_pf.h Earlier this year I used ssp_pf and hacked that in shape to get it to work on FBSD 7.2 since the ssp_pf2 didn't work for me. I think the old method should indeed be abandoned and the newer version used. I just wasn't able to figure out why ssp_pf2 didn't work, so I made ssp_pf work. If ssp_pf2 works for everyone, I'll leave it as it is and add your changes. > One thing that maybe documented is the strange thing to add an '_' > to the table names and the defauls are block(in|out). Not sure what you mean. Could you elaborate? Thanks, Frank From skysbsb at gmail.com Thu Oct 8 17:18:12 2009 From: skysbsb at gmail.com (David Gomes) Date: Thu, 8 Oct 2009 18:18:12 -0300 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <1255036058.49663.174.camel@localhost> References: <008501ca4751$b8387030$28a95090$@net> <008801ca47f4$9f8498e0$de8dcaa0$@net> <1255036058.49663.174.camel@localhost> Message-ID: On Thu, Oct 8, 2009 at 6:07 PM, Frank Knobbe wrote: > On Thu, 2009-10-08 at 09:19 -0300, David Gomes wrote: > > Is just the same 2.8.4.1 patch. I think the snortsam team has not > > release the 2.8.5 patch yet. > > Well, there really is no Snortsam team :) It's guys like you submitting > patches to keep Snortsam running. > Ok sorry, my mistake.. i really don't know that.. > > The 2.8.5 patch was submitted by Luis Daniel Lucio Quiroz. He tried to > get the plugin to work with 2.8.5. Looks like it is not registering the > rule option with Snort properly. I'm pretty slammed at work at the > moment and just don't have the time to investigate. If someone finds a > solution, please let me know. > > in the meantime, I'll pull the 2.8.5 patch to avoid confusion. > Ok Frank.. let us know if u find something... > > Thanks, > Frank > > Tks u. > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091008/65df9bb6/attachment.html From ohauer at gmx.de Fri Oct 9 13:10:04 2009 From: ohauer at gmx.de (Olli Hauer) Date: Fri, 09 Oct 2009 19:10:04 +0200 Subject: [Snortsam-discussion] some small ssp_pf2 enhancements In-Reply-To: <1255036260.49663.178.camel@localhost> References: <20091007182250.68380@gmx.net> <1255036260.49663.178.camel@localhost> Message-ID: <20091009171004.198720@gmx.net> >> I made some changes in ssp_pf2.c, so tables in the main pf section >> can be used. This can be activated with the keyword anchor=notused >> in snortsam.conf. > [...] >> I guess no one is using OpenBSD < 4.x these days so it will be save to >> remove ssp_pf.c and ssp_pf.h > Earlier this year I used ssp_pf and hacked that in shape to get it to > work on FBSD 7.2 since the ssp_pf2 didn't work for me. I think the old > method should indeed be abandoned and the newer version used. I just > wasn't able to figure out why ssp_pf2 didn't work, so I made ssp_pf > work. If ssp_pf2 works for everyone, I'll leave it as it is and add your > changes. Do you remember some details? - installed from soure/port ... - pf load as module or build in kernel - tables not working ... Maybe I can find out why it has not worked. >> One thing that maybe documented is the strange thing to add an '_' >> to the table names and the defaults are block(in|out). > > Not sure what you mean. Could you elaborate? I will try to explain. given someone configures the following line in snortsam.conf 1) pf2 log=0 this will result at the moment into this default values - anchor=snortsam, tables=blockin,blockout Now lets say the user configures the following line 2) pf2 table=block log=0 this will result in - anchor=snortsam, tables=block_in,block_out I think this is not expected, since it should result in the same as config 1) See the following lines from ssp_pf2.c. - snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_in", - snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_out", + snprintf(tbuf, PF_TABLE_NAME_SIZE, "%sin", + snprintf(tbuf, PF_TABLE_NAME_SIZE, "%sout", There is another issue if only the keyword 'pf2' and no paramters given snortsam crashes hard instead to use default values. After reading the list archives I found a request from you how to sort out OpenBSD/FreeBSD/NetBSD version for makefiles. For FreeBSD there is a solution, I will ask at the OpenBSD dev list if there is something equal. http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/freebsd-versions.html New diff for ssp_pf2.c to honor the default value problem, and additional ignore anchor with the keyword anchor=none|notused. I will write an additional README.pf2, but first I want to add some syslog code which works on all *BSD's Regards, olli Index: ssp_pf2.c =================================================================== RCS file: /cvsroot/snortsam/snortsam/src/ssp_pf2.c,v retrieving revision 3.1 diff -u -r3.1 ssp_pf2.c --- ssp_pf2.c 14 Apr 2009 18:50:45 -0000 3.1 +++ ssp_pf2.c 9 Oct 2009 09:50:32 -0000 @@ -47,6 +47,7 @@ #include "snortsam.h" #include "ssp_pf2.h" +unsigned int use_anchor = TRUE; /* Routine for opt parsing ( opt=value opt2=value2 etc. ) */ int parse_opts(char *line, opt_pf2 *opt, char *sep, char *int_sep, int nopt) @@ -138,6 +139,10 @@ else { safecopy(pfp->anchorname, options[PF2_OPT_ANCHOR].v.value_s); /* save anchorname */ + /* if use_anchor = FALSE then tables from the main pf section will be used */ + if ((strncmp(options[PF2_OPT_ANCHOR].v.value_s, "notused", MAX_OPT_VALUE)==0) || + (strncmp(options[PF2_OPT_ANCHOR].v.value_s, "none", MAX_OPT_VALUE)==0)) + use_anchor = FALSE; } /* Check Table */ @@ -153,10 +158,10 @@ else { /* save tablenames */ - snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_in", + snprintf(tbuf, PF_TABLE_NAME_SIZE, "%sin", options[PF2_OPT_TABLE].v.value_s); safecopy(pfp->tablein, tbuf); - snprintf(tbuf, PF_TABLE_NAME_SIZE, "%s_out", + snprintf(tbuf, PF_TABLE_NAME_SIZE, "%sout", options[PF2_OPT_TABLE].v.value_s); safecopy(pfp->tableout, tbuf); } @@ -258,7 +263,10 @@ bzero(&io, sizeof(io)); strlcpy(io.pfrio_table.pfrt_name, table, sizeof(io.pfrio_table.pfrt_name)); - strlcpy(io.pfrio_table.pfrt_anchor, anchor, sizeof(io.pfrio_table.pfrt_anchor)); + + if (use_anchor == TRUE) + strlcpy(io.pfrio_table.pfrt_anchor, anchor, + sizeof(io.pfrio_table.pfrt_anchor)); io.pfrio_buffer = &addr; io.pfrio_esize = sizeof(addr); io.pfrio_size = 1; @@ -287,6 +295,10 @@ logmessage(3, msg, "pf2", 0); return (-1); } +#ifdef FWSAMDEBUG + printf("[DEBUG] %s %s %s anchor=%s table=%s\n", + add ? "add" : "remove", ipsrc, add ? "to" : "from", anchor, table); +#endif return (0); } -- Neu: GMX DSL bis 50.000 kBit/s und 200,- Euro Startguthaben! http://portal.gmx.net/de/go/dsl02 From luis.daniel.lucio at gmail.com Fri Oct 9 21:10:45 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Fri, 9 Oct 2009 20:10:45 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <1255036058.49663.174.camel@localhost> References: <008501ca4751$b8387030$28a95090$@net> <1255036058.49663.174.camel@localhost> Message-ID: <200910092010.45876.luis.daniel.lucio@gmail.com> Le jeudi 8 octobre 2009 16:07:38, Frank Knobbe a ?crit : > On Thu, 2009-10-08 at 09:19 -0300, David Gomes wrote: > > Is just the same 2.8.4.1 patch. I think the snortsam team has not > > release the 2.8.5 patch yet. > > Well, there really is no Snortsam team :) It's guys like you submitting > patches to keep Snortsam running. > > The 2.8.5 patch was submitted by Luis Daniel Lucio Quiroz. He tried to > get the plugin to work with 2.8.5. Looks like it is not registering the > rule option with Snort properly. I'm pretty slammed at work at the > moment and just don't have the time to investigate. If someone finds a > solution, please let me know. > > in the meantime, I'll pull the 2.8.5 patch to avoid confusion. > > Thanks, > Frank > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > I may rediff patch, but I need you to tell me where is the line in wich fwsam option is registered. From luis.daniel.lucio at gmail.com Fri Oct 9 21:44:24 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Fri, 9 Oct 2009 20:44:24 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <1255036058.49663.174.camel@localhost> References: <008501ca4751$b8387030$28a95090$@net> <1255036058.49663.174.camel@localhost> Message-ID: <200910092044.24496.luis.daniel.lucio@gmail.com> Le jeudi 8 octobre 2009 16:07:38, Frank Knobbe a ?crit : > On Thu, 2009-10-08 at 09:19 -0300, David Gomes wrote: > > Is just the same 2.8.4.1 patch. I think the snortsam team has not > > release the 2.8.5 patch yet. > > Well, there really is no Snortsam team :) It's guys like you submitting > patches to keep Snortsam running. > > The 2.8.5 patch was submitted by Luis Daniel Lucio Quiroz. He tried to > get the plugin to work with 2.8.5. Looks like it is not registering the > rule option with Snort properly. I'm pretty slammed at work at the > moment and just don't have the time to investigate. If someone finds a > solution, please let me know. > > in the meantime, I'll pull the 2.8.5 patch to avoid confusion. > > Thanks, > Frank > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > I guess this is a bad option. Patch did has: RegisterPlugin("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_ACTION); and it was update to RegisterOutputPlugin("alert_fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamInit); RegisterOutputPlugin("fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamOptionInit); I guess I miss some flags but I ignore them LD From frank at snortsam.net Fri Oct 9 23:11:59 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 09 Oct 2009 22:11:59 -0500 Subject: [Snortsam-discussion] some small ssp_pf2 enhancements In-Reply-To: <20091009171004.198720@gmx.net> References: <20091007182250.68380@gmx.net> <1255036260.49663.178.camel@localhost> <20091009171004.198720@gmx.net> Message-ID: <1255144319.48946.46.camel@localhost> On Fri, 2009-10-09 at 19:10 +0200, Olli Hauer wrote: > > Earlier this year I used ssp_pf and hacked that in shape to get it to > > work on FBSD 7.2 since the ssp_pf2 didn't work for me. I think the old > > method should indeed be abandoned and the newer version used. I just > > wasn't able to figure out why ssp_pf2 didn't work, so I made ssp_pf > > work. If ssp_pf2 works for everyone, I'll leave it as it is and add your > > changes. > > Do you remember some details? > - installed from soure/port ... > - pf load as module or build in kernel > - tables not working Snortsam was installed from CVS (as I always do). I'm not sure how pf2 was loaded, but my guess would be as a module since I don't think those folks rolled a custom kernel. (I'm reasonable sure that uname -a was GENERIC, nothing custom). The problem was the tables. Even though the anchor and tables were created per Olaf's document, Snortsam never inserted the IPs. I assumed there was something wrong with the ioctl's and tried the older pf version, which after a bit of massaging, worked just fine. > this will result at the moment into this default values > - anchor=snortsam, tables=blockin,blockout > > Now lets say the user configures the following line > 2) pf2 table=block log=0 > > this will result in > - anchor=snortsam, tables=block_in,block_out heh... I wonder if that was my problem :) Yeah, the _ should be removed to keep it consistent. > I will write an additional README.pf2, but first I want to add some syslog code which works on all *BSD's I have a submission for syslog (thanks to Jeffry). I just never got around to implement it yet. The main reason is that I wanted to add code around it to have it log to EventLog when on Windows, and call syslog() on non-Windows machines. Over the last two years I have been pretty busy with work, and neglected the Snortsam community a bit. (Thanks to Matt and other ET folks to keep Snortsam afloat during the last year). But soon I'll be able to put a bit more time into it... at least as far as submissions and few new features is concerned, and of course an updated Snort plugin, barnyard1 plugin, barnyard2 plugin.... Historically, most changes to Snortsam always seemed to happen in December. I'm sure that will hold true this year :) Cheers, Frank From frank at snortsam.net Fri Oct 9 23:18:48 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 09 Oct 2009 22:18:48 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <200910092044.24496.luis.daniel.lucio@gmail.com> References: <008501ca4751$b8387030$28a95090$@net> <1255036058.49663.174.camel@localhost> <200910092044.24496.luis.daniel.lucio@gmail.com> Message-ID: <1255144728.48946.53.camel@localhost> On Fri, 2009-10-09 at 20:44 -0500, Luis Daniel Lucio Quiroz wrote: > I guess this is a bad option. Patch did has: > RegisterPlugin("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_ACTION); > and it was update to > RegisterOutputPlugin("alert_fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamInit); > RegisterOutputPlugin("fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamOptionInit); Luis, I just looked at the code. The old patch had: RegisterOutputPlugin("alert_fwsam", NT_OUTPUT_ALERT, AlertFWsamInit); (registers the output plugin) RegisterPlugin("fwsam", AlertFWsamOptionInit); (registers the fwsam rule option) Your patch included RegisterOutputPlugin("alert_fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamInit); (registers the output plugin, which seems to work) RegisterOutputPlugin("fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamOptionInit); (which is supposed to register the "fwsam" option, but apparently does not.) You seem to call the same registration with the same TYPE variable, when in fact these are not the same. If you can find out how to registers a rule option, that's what the second line is supposed to. Take a look at some preprocessors, like http_inspect, which should register any special rule options (like httpheader). That's how "fwsam" should be registered. Hope that helps, Frank From luis.daniel.lucio at gmail.com Sat Oct 10 00:01:41 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Fri, 9 Oct 2009 23:01:41 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <1255144728.48946.53.camel@localhost> References: <008501ca4751$b8387030$28a95090$@net> <200910092044.24496.luis.daniel.lucio@gmail.com> <1255144728.48946.53.camel@localhost> Message-ID: <200910092301.41868.luis.daniel.lucio@gmail.com> Le vendredi 9 octobre 2009 22:18:48, Frank Knobbe a ?crit : > On Fri, 2009-10-09 at 20:44 -0500, Luis Daniel Lucio Quiroz wrote: > > I guess this is a bad option. Patch did has: > > RegisterPlugin("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_ACTION); > > and it was update to > > RegisterOutputPlugin("alert_fwsam", OUTPUT_TYPE_FLAG__ALERT, > > AlertFWsamInit); RegisterOutputPlugin("fwsam", OUTPUT_TYPE_FLAG__ALERT, > > AlertFWsamOptionInit); > > Luis, > > I just looked at the code. The old patch had: > > RegisterOutputPlugin("alert_fwsam", NT_OUTPUT_ALERT, AlertFWsamInit); > (registers the output plugin) > > RegisterPlugin("fwsam", AlertFWsamOptionInit); > (registers the fwsam rule option) > > > Your patch included > RegisterOutputPlugin("alert_fwsam", OUTPUT_TYPE_FLAG__ALERT, > AlertFWsamInit); > > (registers the output plugin, which seems to work) > > RegisterOutputPlugin("fwsam", OUTPUT_TYPE_FLAG__ALERT, > AlertFWsamOptionInit); > > (which is supposed to register the "fwsam" option, but apparently does > not.) > > You seem to call the same registration with the same TYPE variable, when > in fact these are not the same. If you can find out how to registers a > rule option, that's what the second line is supposed to. Take a look at > some preprocessors, like http_inspect, which should register any special > rule options (like httpheader). That's how "fwsam" should be registered. > > Hope that helps, > Frank > It seems that other snort has this option RegisterRuleOption("seq", TcpSeqCheckInit, NULL, OPT_TYPE_DETECTION); so i guess that for snort should be RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_DETECTION); I will try and post new patch for test, I will get rid of RegisterOutputPlugin("fwsam", OUTPUT_TYPE_FLAG__ALERT, AlertFWsamOptionInit); it does not work I'll let you know From luis.daniel.lucio at gmail.com Sat Oct 10 00:38:11 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Fri, 9 Oct 2009 23:38:11 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: References: <008501ca4751$b8387030$28a95090$@net> <1255036058.49663.174.camel@localhost> Message-ID: <200910092338.11615.luis.daniel.lucio@gmail.com> Le jeudi 8 octobre 2009 16:18:12, David Gomes a ?crit : > On Thu, Oct 8, 2009 at 6:07 PM, Frank Knobbe wrote: > > On Thu, 2009-10-08 at 09:19 -0300, David Gomes wrote: > > > Is just the same 2.8.4.1 patch. I think the snortsam team has not > > > release the 2.8.5 patch yet. > > > > Well, there really is no Snortsam team :) It's guys like you submitting > > patches to keep Snortsam running. > > Ok sorry, my mistake.. i really don't know that.. > > > The 2.8.5 patch was submitted by Luis Daniel Lucio Quiroz. He tried to > > get the plugin to work with 2.8.5. Looks like it is not registering the > > rule option with Snort properly. I'm pretty slammed at work at the > > moment and just don't have the time to investigate. If someone finds a > > solution, please let me know. > > > > in the meantime, I'll pull the 2.8.5 patch to avoid confusion. > > Ok Frank.. let us know if u find something... > > > Thanks, > > Frank > > > > Tks u. > > > > > > _______________________________________________ > > Snortsam-discussion mailing list > > Snortsam-discussion at snortsam.net > > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > I've rediff patch and add RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_DETECTION); Please give it a try plz -------------- next part -------------- A non-text attachment was scrubbed... Name: snortsam-2.8.5-dlucio.diff Type: text/x-patch Size: 114021 bytes Desc: not available Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091009/58b4b217/snortsam-2.8.5-dlucio-0001.bin From frank at snortsam.net Sat Oct 10 00:46:04 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 09 Oct 2009 23:46:04 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <200910092338.11615.luis.daniel.lucio@gmail.com> References: <008501ca4751$b8387030$28a95090$@net> <1255036058.49663.174.camel@localhost> <200910092338.11615.luis.daniel.lucio@gmail.com> Message-ID: <1255149964.99694.4.camel@server1> On Fri, 2009-10-09 at 23:38 -0500, Luis Daniel Lucio Quiroz wrote: > I've rediff patch and add > RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_DETECTION); Wrong patch. As we discussed, it should be RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_ACTION); Just like the old version was. I'll hack the diff real quick and put it back on the web. -Frank From luis.daniel.lucio at gmail.com Sat Oct 10 00:53:55 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Fri, 9 Oct 2009 23:53:55 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <1255149964.99694.4.camel@server1> References: <008501ca4751$b8387030$28a95090$@net> <200910092338.11615.luis.daniel.lucio@gmail.com> <1255149964.99694.4.camel@server1> Message-ID: <200910092353.55500.luis.daniel.lucio@gmail.com> Le vendredi 9 octobre 2009 23:46:04, Frank Knobbe a ?crit : > On Fri, 2009-10-09 at 23:38 -0500, Luis Daniel Lucio Quiroz wrote: > > I've rediff patch and add > > RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, > > OPT_TYPE_DETECTION); > > Wrong patch. As we discussed, it should be > RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, > OPT_TYPE_ACTION); > > Just like the old version was. > > I'll hack the diff real quick and put it back on the web. > > -Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > Yes you are right I'll change it right now From frank at snortsam.net Sat Oct 10 00:56:42 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 9 Oct 2009 23:56:42 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <200910092353.55500.luis.daniel.lucio@gmail.com> References: <008501ca4751$b8387030$28a95090$@net> <200910092338.11615.luis.daniel.lucio@gmail.com> <1255149964.99694.4.camel@server1> <200910092353.55500.luis.daniel.lucio@gmail.com> Message-ID: <20091010045642.GB2612@knobbe.us> On Fri, Oct 09, 2009 at 11:53:55PM -0500, Luis Daniel Lucio Quiroz wrote: > > Wrong patch. As we discussed, it should be > > RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, > > OPT_TYPE_ACTION); > > > > Just like the old version was. > > I'll hack the diff real quick and put it back on the web. > Yes you are right > I'll change it right now No need. I just put the corrected version on the web site. Folks, please download the updated 2.8.5 patch and report results. -Frank From luis.daniel.lucio at gmail.com Sat Oct 10 00:58:26 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Fri, 9 Oct 2009 23:58:26 -0500 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <1255149964.99694.4.camel@server1> References: <008501ca4751$b8387030$28a95090$@net> <200910092338.11615.luis.daniel.lucio@gmail.com> <1255149964.99694.4.camel@server1> Message-ID: <200910092358.27124.luis.daniel.lucio@gmail.com> Le vendredi 9 octobre 2009 23:46:04, Frank Knobbe a ?crit : > On Fri, 2009-10-09 at 23:38 -0500, Luis Daniel Lucio Quiroz wrote: > > I've rediff patch and add > > RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, > > OPT_TYPE_DETECTION); > > Wrong patch. As we discussed, it should be > RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, > OPT_TYPE_ACTION); > > Just like the old version was. > > I'll hack the diff real quick and put it back on the web. > > -Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > Here it is, with fix -------------- next part -------------- A non-text attachment was scrubbed... Name: snortsam-2.8.5-dlucio.diff Type: text/x-patch Size: 114018 bytes Desc: not available Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091009/73e315f5/snortsam-2.8.5-dlucio-0001.bin From maddog2k at maddog2k.net Sat Oct 10 11:36:19 2009 From: maddog2k at maddog2k.net (Wouter de Jong) Date: Sat, 10 Oct 2009 17:36:19 +0200 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <20091010045642.GB2612@knobbe.us> References: <008501ca4751$b8387030$28a95090$@net> <200910092338.11615.luis.daniel.lucio@gmail.com> <1255149964.99694.4.camel@server1> <200910092353.55500.luis.daniel.lucio@gmail.com> <20091010045642.GB2612@knobbe.us> Message-ID: <003201ca49bf$69eb2600$3dc17200$@net> (sorry for top-posting) Frank, Luis, I'm currently rebuilding 2.8.5 with the new 2.8.5 diff that's on the site. I'll post the results asap. Many thanks for the quick assistance / fixes ! Regards, Wouter -----Original Message----- From: snortsam-discussion-bounces at snortsam.net [mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Frank Knobbe Sent: Saturday, October 10, 2009 06:57 To: snortsam-discussion at snortsam.net Subject: Re: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. On Fri, Oct 09, 2009 at 11:53:55PM -0500, Luis Daniel Lucio Quiroz wrote: > > Wrong patch. As we discussed, it should be > > RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, > > OPT_TYPE_ACTION); > > > > Just like the old version was. > > I'll hack the diff real quick and put it back on the web. > Yes you are right > I'll change it right now No need. I just put the corrected version on the web site. Folks, please download the updated 2.8.5 patch and report results. -Frank _______________________________________________ Snortsam-discussion mailing list Snortsam-discussion at snortsam.net http://lists.snortsam.net/mailman/listinfo/snortsam-discussion From luis.daniel.lucio at gmail.com Sat Oct 10 11:47:16 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Sat, 10 Oct 2009 10:47:16 -0500 Subject: [Snortsam-discussion] Warnings in towfish.c Message-ID: <200910101047.16447.luis.daniel.lucio@gmail.com> Frank, are you familliar with this? ../../../src/twofish.c: In function '_TwoFish_CryptRawCBC': ../../../src/twofish.c:211: warning: pointer targets in passing argument 1 of '_TwoFish_BlockCrypt' differ in signedness ../../../src/twofish.h:267: note: expected 'u_int8_t *' but argument is of type 'char *' ../../../src/twofish.c:211: warning: pointer targets in passing argument 2 of '_TwoFish_BlockCrypt' differ in signedness ../../../src/twofish.h:267: note: expected 'u_int8_t *' but argument is of type 'char *' ../../../src/twofish.c:217: warning: pointer targets in passing argument 1 of '_TwoFish_BlockCrypt' differ in signedness ../../../src/twofish.h:267: note: expected 'u_int8_t *' but argument is of type 'char *' ../../../src/twofish.c:217: warning: pointer targets in passing argument 2 of '_TwoFish_BlockCrypt' differ in signedness ../../../src/twofish.h:267: note: expected 'u_int8_t *' but argument is of type 'char *' ../../../src/twofish.c: In function 'TwoFishEncryptRaw': ../../../src/twofish.c:263: warning: pointer targets in assignment differ in signedness ../../../src/twofish.c: In function 'TwoFishDecryptRaw': ../../../src/twofish.c:284: warning: pointer targets in assignment differ in signedness ../../../src/twofish.c: In function 'TwoFishSetOutput': ../../../src/twofish.c:316: warning: pointer targets in assignment differ in signedness ../../../src/twofish.c: In function 'TwoFishEncrypt': ../../../src/twofish.c:423: warning: pointer targets in assignment differ in signedness ../../../src/twofish.c:432: warning: pointer targets in passing argument 2 of '_TwoFish_BlockCrypt' differ in signedness ../../../src/twofish.h:267: note: expected 'u_int8_t *' but argument is of type 'char *' ../../../src/twofish.c:435: warning: pointer targets in passing argument 1 of '_TwoFish_BinHex' differ in signedness ../../../src/twofish.c:349: note: expected 'u_int8_t *' but argument is of type 'char *' ../../../src/twofish.c:438: warning: pointer targets in assignment differ in signedness ../../../src/twofish.c: In function 'TwoFishDecrypt': ../../../src/twofish.c:486: warning: pointer targets in passing argument 1 of '_TwoFish_BinHex' differ in signedness ../../../src/twofish.c:349: note: expected 'u_int8_t *' but argument is of type 'char *' ../../../src/twofish.c:496: warning: pointer targets in passing argument 2 of '_TwoFish_CryptRawCBC' differ in signedness ../../../src/twofish.c:206: note: expected 'char *' but argument is of type 'u_int8_t *' ../../../src/twofish.c:498: warning: pointer targets in assignment differ in signedness From maddog2k at maddog2k.net Sat Oct 10 12:02:52 2009 From: maddog2k at maddog2k.net (Wouter de Jong) Date: Sat, 10 Oct 2009 18:02:52 +0200 Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. In-Reply-To: <20091010045642.GB2612@knobbe.us> References: <008501ca4751$b8387030$28a95090$@net> <200910092338.11615.luis.daniel.lucio@gmail.com> <1255149964.99694.4.camel@server1> <200910092353.55500.luis.daniel.lucio@gmail.com> <20091010045642.GB2612@knobbe.us> Message-ID: <003501ca49c3$1f7e6d30$5e7b4790$@net> (sorry for top-posting) Hi Frank, Luis, I hereby confirm the new patch works with 2.8.5 I'm now going to look at the snortsam agent, to see if I can add 'tag XXXX' support to the cisconullroute plugin. This way, we can use it in our distributed blackhole setup (export static routes with tag -> BGP with a special community), and will propagate to our border routers, and even to our transits. Thanks for the great work. Best regards, Wouter -----Original Message----- From: snortsam-discussion-bounces at snortsam.net [mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Frank Knobbe Sent: Saturday, October 10, 2009 06:57 To: snortsam-discussion at snortsam.net Subject: Re: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'. On Fri, Oct 09, 2009 at 11:53:55PM -0500, Luis Daniel Lucio Quiroz wrote: > > Wrong patch. As we discussed, it should be > > RegisterRuleOption("fwsam", AlertFWsamOptionInit, NULL, > > OPT_TYPE_ACTION); > > > > Just like the old version was. > > I'll hack the diff real quick and put it back on the web. > Yes you are right > I'll change it right now No need. I just put the corrected version on the web site. Folks, please download the updated 2.8.5 patch and report results. -Frank _______________________________________________ Snortsam-discussion mailing list Snortsam-discussion at snortsam.net http://lists.snortsam.net/mailman/listinfo/snortsam-discussion From diomar at rmws.net Wed Oct 14 00:29:57 2009 From: diomar at rmws.net (J Carvalho) Date: Wed, 14 Oct 2009 00:29:57 -0400 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? Message-ID: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> Sorry for the intrusion. I've been working with Solaris 10 and was looking to see how snort and snortsam work with ipf. Has anyone had experience with which pkgs are required and were you able to pull them from Blastwave? tnx --joe From frank at snortsam.net Wed Oct 14 17:45:25 2009 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 14 Oct 2009 16:45:25 -0500 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> Message-ID: <1255556725.36301.58.camel@localhost> On Wed, 2009-10-14 at 00:29 -0400, J Carvalho wrote: > Sorry for the intrusion. > I've been working with Solaris 10 and was looking to see how snort and > snortsam work with ipf. > > Has anyone had experience with which pkgs are required and were you > able to pull them from Blastwave? I would suggest you pull Snortsam from CVS (or use the tarball from the web site) instead of relying on 3rd party packages. Snortsam compiles and runs fine on Solaris, on little or big endian systems. Communication across different endian platforms works too (for example, Snort on Solaris on Intel, and Snortsam on Solaris on Sparc). I haven't compiled it recently (my Ultra 5 is catching dust under the table), but there weren't any changes that should prevent compilation under Solaris. Can't make recommendation about Snort, but the Snortsam plugin in Snort should still work fine under Solaris. Regards, Frank From diomar at rmws.net Wed Oct 14 18:11:25 2009 From: diomar at rmws.net (J Carvalho) Date: Wed, 14 Oct 2009 18:11:25 -0400 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <1255556725.36301.58.camel@localhost> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> <1255556725.36301.58.camel@localhost> Message-ID: <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> Hello Frank. Tnx for the response. I had dl'd snortsam (snortsam-src-2.63.tar.gz ) from snortsam.net I'll pull via CVS and see how things go. Here, running Solaris 5.10 Generic_137138-09 i86pc i386 i86pc gcc3 and gcc4 are Blastwave packages. Here's the errors I get: bash-3.00# ./makesnortsam.sh BSDTHREADLIB=-lpthread + uname systype=SunOS + echo ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- + echo Building SnortSam (release) Building SnortSam (release) + echo ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- + rm -f snortsam + rm -f snortsam-debug + cd src + rm -f *.o + gcc -O2 -DSunOS -DSOLARIS -c snortsam.c twofish.c ssp_fwexec.c ssp_fwsam.c ssp_ciscoacl.c ssp_cisco_nullroute.c ssp_email.c ssp_ipf.c ssp_pix.c ssp_forward.c ssp_snmp_interface_down.c ssp_netscreen.c ssp_wgrd.c In file included from snortsam.h:164, from snortsam.c:85: twofish.h:97: error: syntax error before "u_int32_t" ------------------------------------------------------------------------------- Building SnortSam (release) ------------------------------------------------------------------------------- In file included from snortsam.h:164, from snortsam.c:85: twofish.h:97: error: syntax error before "u_int32_t" twofish.h:97: warning: no semicolon at end of struct or union twofish.h:98: warning: data definition has no type or storage class twofish.h:99: error: syntax error before "key" twofish.h:99: warning: data definition has no type or storage class twofish.h:100: error: syntax error before '*' token twofish.h:100: warning: data definition has no type or storage class twofish.h:101: error: syntax error before "qBlockPlain" twofish.h:101: warning: data definition has no type or storage class twofish.h:102: error: syntax error before "qBlockCrypt" twofish.h:102: warning: data definition has no type or storage class twofish.h:103: error: syntax error before "prevCipher" twofish.h:103: warning: data definition has no type or storage class twofish.h:105: error: syntax error before "u_int32_t" twofish.h:105: warning: no semicolon at end of struct or union twofish.h:106: warning: data definition has no type or storage class twofish.h:107: error: syntax error before "magic" twofish.h:107: warning: data definition has no type or storage class twofish.h:108: error: syntax error before '}' token twofish.h:108: warning: data definition has no type or storage class twofish.h:111: error: syntax error before '}' token twofish.h:111: warning: data definition has no type or storage class twofish.h:133: error: syntax error before '*' token twofish.h:133: warning: data definition has no type or storage class twofish.h:143: error: syntax error before '*' token twofish.h:156: error: syntax error before "TWOFISH" twofish.h:167: error: syntax error before '*' token twofish.h:180: error: syntax error before "TWOFISH" twofish.h:194: error: syntax error before "TWOFISH" twofish.h:207: error: syntax error before "TWOFISH" twofish.h:229: error: syntax error before "TWOFISH" twofish.h:251: error: syntax error before "TWOFISH" twofish.h:256: error: syntax error before "TwoFish__b" twofish.h:256: error: syntax error before "x" twofish.h:256: warning: data definition has no type or storage class On Oct 14, 2009, at 17:45:25:EDT, Frank Knobbe wrote: > On Wed, 2009-10-14 at 00:29 -0400, J Carvalho wrote: >> Sorry for the intrusion. >> I've been working with Solaris 10 and was looking to see how snort >> and >> snortsam work with ipf. >> >> Has anyone had experience with which pkgs are required and were you >> able to pull them from Blastwave? > > I would suggest you pull Snortsam from CVS (or use the tarball from > the > web site) instead of relying on 3rd party packages. Snortsam compiles > and runs fine on Solaris, on little or big endian systems. > Communication > across different endian platforms works too (for example, Snort on > Solaris on Intel, and Snortsam on Solaris on Sparc). > > I haven't compiled it recently (my Ultra 5 is catching dust under the > table), but there weren't any changes that should prevent compilation > under Solaris. > > Can't make recommendation about Snort, but the Snortsam plugin in > Snort > should still work fine under Solaris. > > > Regards, > Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion From maddog2k at maddog2k.net Thu Oct 15 05:14:07 2009 From: maddog2k at maddog2k.net (Wouter de Jong) Date: Thu, 15 Oct 2009 11:14:07 +0200 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> <1255556725.36301.58.camel@localhost> <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> Message-ID: <014f01ca4d77$df940ff0$9ebc2fd0$@net> (sorry for top-posting) Maybe you could look if the suggestion mentioned below would help ? http://woodlane.webconquest.com/pipermail/list/2009-June/000325.html Best regards, Wouter > -----Original Message----- > From: snortsam-discussion-bounces at snortsam.net [mailto:snortsam- > discussion-bounces at snortsam.net] On Behalf Of J Carvalho > Sent: Thursday, October 15, 2009 00:11 > To: snortsam-discussion at snortsam.net > Subject: Re: [Snortsam-discussion] Building snortsam and parts on > Solaris 10? > > Hello Frank. > Tnx for the response. I had dl'd snortsam (snortsam-src-2.63.tar.gz ) > from snortsam.net > > I'll pull via CVS and see how things go. > Here, running Solaris 5.10 Generic_137138-09 i86pc i386 i86pc > gcc3 and gcc4 are Blastwave packages. > > Here's the errors I get: > > bash-3.00# ./makesnortsam.sh > BSDTHREADLIB=-lpthread > + uname > systype=SunOS > + echo > ----------------------------------------------------------------------- > -------- > ----------------------------------------------------------------------- > -------- > + echo Building SnortSam (release) > Building SnortSam (release) > + echo > ----------------------------------------------------------------------- > -------- > ----------------------------------------------------------------------- > -------- > + rm -f snortsam > + rm -f snortsam-debug > + cd src > + rm -f *.o > + gcc -O2 -DSunOS -DSOLARIS -c snortsam.c twofish.c ssp_fwexec.c > ssp_fwsam.c ssp_ciscoacl.c ssp_cisco_nullroute.c ssp_email.c ssp_ipf.c > ssp_pix.c ssp_forward.c ssp_snmp_interface_down.c ssp_netscreen.c > ssp_wgrd.c > In file included from snortsam.h:164, > from snortsam.c:85: > twofish.h:97: error: syntax error before "u_int32_t" > > ----------------------------------------------------------------------- > -------- > Building SnortSam (release) > ----------------------------------------------------------------------- > -------- > In file included from snortsam.h:164, > from snortsam.c:85: > twofish.h:97: error: syntax error before "u_int32_t" > twofish.h:97: warning: no semicolon at end of struct or union > twofish.h:98: warning: data definition has no type or storage class > twofish.h:99: error: syntax error before "key" > twofish.h:99: warning: data definition has no type or storage class > twofish.h:100: error: syntax error before '*' token > twofish.h:100: warning: data definition has no type or storage class > twofish.h:101: error: syntax error before "qBlockPlain" > twofish.h:101: warning: data definition has no type or storage class > twofish.h:102: error: syntax error before "qBlockCrypt" > twofish.h:102: warning: data definition has no type or storage class > twofish.h:103: error: syntax error before "prevCipher" > twofish.h:103: warning: data definition has no type or storage class > twofish.h:105: error: syntax error before "u_int32_t" > twofish.h:105: warning: no semicolon at end of struct or union > twofish.h:106: warning: data definition has no type or storage class > twofish.h:107: error: syntax error before "magic" > twofish.h:107: warning: data definition has no type or storage class > twofish.h:108: error: syntax error before '}' token > twofish.h:108: warning: data definition has no type or storage class > twofish.h:111: error: syntax error before '}' token > twofish.h:111: warning: data definition has no type or storage class > twofish.h:133: error: syntax error before '*' token > twofish.h:133: warning: data definition has no type or storage class > twofish.h:143: error: syntax error before '*' token > twofish.h:156: error: syntax error before "TWOFISH" > twofish.h:167: error: syntax error before '*' token > twofish.h:180: error: syntax error before "TWOFISH" > twofish.h:194: error: syntax error before "TWOFISH" > twofish.h:207: error: syntax error before "TWOFISH" > twofish.h:229: error: syntax error before "TWOFISH" > twofish.h:251: error: syntax error before "TWOFISH" > twofish.h:256: error: syntax error before "TwoFish__b" > twofish.h:256: error: syntax error before "x" > twofish.h:256: warning: data definition has no type or storage class > > > On Oct 14, 2009, at 17:45:25:EDT, Frank Knobbe wrote: > > > On Wed, 2009-10-14 at 00:29 -0400, J Carvalho wrote: > >> Sorry for the intrusion. > >> I've been working with Solaris 10 and was looking to see how snort > >> and > >> snortsam work with ipf. > >> > >> Has anyone had experience with which pkgs are required and were you > >> able to pull them from Blastwave? > > > > I would suggest you pull Snortsam from CVS (or use the tarball from > > the > > web site) instead of relying on 3rd party packages. Snortsam compiles > > and runs fine on Solaris, on little or big endian systems. > > Communication > > across different endian platforms works too (for example, Snort on > > Solaris on Intel, and Snortsam on Solaris on Sparc). > > > > I haven't compiled it recently (my Ultra 5 is catching dust under the > > table), but there weren't any changes that should prevent compilation > > under Solaris. > > > > Can't make recommendation about Snort, but the Snortsam plugin in > > Snort > > should still work fine under Solaris. > > > > > > Regards, > > Frank > > > > > > _______________________________________________ > > Snortsam-discussion mailing list > > Snortsam-discussion at snortsam.net > > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion From frank at snortsam.net Thu Oct 15 12:30:06 2009 From: frank at snortsam.net (Frank Knobbe) Date: Thu, 15 Oct 2009 11:30:06 -0500 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> <1255556725.36301.58.camel@localhost> <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> Message-ID: <1255624206.73248.10.camel@localhost> On Wed, 2009-10-14 at 18:11 -0400, J Carvalho wrote: > Tnx for the response. I had dl'd snortsam (snortsam-src-2.63.tar.gz ) > from snortsam.net > > I'll pull via CVS and see how things go. > Here's the errors I get: > twofish.h:97: error: syntax error before "u_int32_t" Ah yes... the fixes to Twofish were done recently (or at least after I compiled it last on Solaris). I'll check out what Wouter referenced and include fixes for that shortly. -Frank From diomar at rmws.net Thu Oct 15 12:36:55 2009 From: diomar at rmws.net (J Carvalho) Date: Thu, 15 Oct 2009 12:36:55 -0400 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <1255624206.73248.10.camel@localhost> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> <1255556725.36301.58.camel@localhost> <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> <1255624206.73248.10.camel@localhost> Message-ID: <7643CD1A-4DA9-49BE-A1AE-BD7AAA6EE298@rmws.net> On Oct 15, 2009, at 12:30:06:EDT, Frank Knobbe wrote: > On Wed, 2009-10-14 at 18:11 -0400, J Carvalho wrote: >> Tnx for the response. I had dl'd snortsam (snortsam-src-2.63.tar.gz ) >> from snortsam.net >> >> I'll pull via CVS and see how things go. > >> Here's the errors I get: > >> twofish.h:97: error: syntax error before "u_int32_t" > > > Ah yes... the fixes to Twofish were done recently (or at least after I > compiled it last on Solaris). I'll check out what Wouter referenced > and > include fixes for that shortly. > > -Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion Yes, Wouter's suggestion does allow snortsam to compile. I'm in the process of testing it now. That was the fix. I also needed uint8_t as well: /* We need u_int32_t and u_int16_t u_int8_t defined */ #ifdef SOLARIS #ifndef _uint_defined #include typedef uint32_t u_int32_t; typedef uint16_t u_int16_t; typedef uint8_t u_int8_t; #define _uint_defined #endif /* _uint_defined * --joe From diomar at rmws.net Thu Oct 15 12:37:41 2009 From: diomar at rmws.net (J Carvalho) Date: Thu, 15 Oct 2009 12:37:41 -0400 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <014f01ca4d77$df940ff0$9ebc2fd0$@net> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> <1255556725.36301.58.camel@localhost> <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> <014f01ca4d77$df940ff0$9ebc2fd0$@net> Message-ID: <9E02FA54-666B-43E2-8D31-FFA2EADC28B7@rmws.net> Hello Wouter. Yes, that was the fix. I also needed uint8_t as well: /* We need u_int32_t and u_int16_t u_int8_t defined */ #ifdef SOLARIS #ifndef _uint_defined #include typedef uint32_t u_int32_t; typedef uint16_t u_int16_t; typedef uint8_t u_int8_t; #define _uint_defined #endif /* _uint_defined */ #endif /* SOLARIS */ On Oct 15, 2009, at 05:14:07:EDT, Wouter de Jong wrote: > (sorry for top-posting) > > Maybe you could look if the suggestion mentioned below would help ? > > http://woodlane.webconquest.com/pipermail/list/2009-June/000325.html > > Best regards, > > Wouter > > >> -----Original Message----- >> From: snortsam-discussion-bounces at snortsam.net [mailto:snortsam- >> discussion-bounces at snortsam.net] On Behalf Of J Carvalho >> Sent: Thursday, October 15, 2009 00:11 >> To: snortsam-discussion at snortsam.net >> Subject: Re: [Snortsam-discussion] Building snortsam and parts on >> Solaris 10? >> >> Hello Frank. >> Tnx for the response. I had dl'd snortsam (snortsam-src-2.63.tar.gz ) >> from snortsam.net >> >> I'll pull via CVS and see how things go. >> Here, running Solaris 5.10 Generic_137138-09 i86pc i386 i86pc >> gcc3 and gcc4 are Blastwave packages. >> >> Here's the errors I get: >> >> bash-3.00# ./makesnortsam.sh >> BSDTHREADLIB=-lpthread >> + uname >> systype=SunOS >> + echo >> ----------------------------------------------------------------------- >> -------- >> ----------------------------------------------------------------------- >> -------- >> + echo Building SnortSam (release) >> Building SnortSam (release) >> + echo >> ----------------------------------------------------------------------- >> -------- >> ----------------------------------------------------------------------- >> -------- >> + rm -f snortsam >> + rm -f snortsam-debug >> + cd src >> + rm -f *.o >> + gcc -O2 -DSunOS -DSOLARIS -c snortsam.c twofish.c ssp_fwexec.c >> ssp_fwsam.c ssp_ciscoacl.c ssp_cisco_nullroute.c ssp_email.c >> ssp_ipf.c >> ssp_pix.c ssp_forward.c ssp_snmp_interface_down.c ssp_netscreen.c >> ssp_wgrd.c >> In file included from snortsam.h:164, >> from snortsam.c:85: >> twofish.h:97: error: syntax error before "u_int32_t" >> >> ----------------------------------------------------------------------- >> -------- >> Building SnortSam (release) >> ----------------------------------------------------------------------- >> -------- >> In file included from snortsam.h:164, >> from snortsam.c:85: >> twofish.h:97: error: syntax error before "u_int32_t" >> twofish.h:97: warning: no semicolon at end of struct or union >> twofish.h:98: warning: data definition has no type or storage class >> twofish.h:99: error: syntax error before "key" >> twofish.h:99: warning: data definition has no type or storage class >> twofish.h:100: error: syntax error before '*' token >> twofish.h:100: warning: data definition has no type or storage class >> twofish.h:101: error: syntax error before "qBlockPlain" >> twofish.h:101: warning: data definition has no type or storage class >> twofish.h:102: error: syntax error before "qBlockCrypt" >> twofish.h:102: warning: data definition has no type or storage class >> twofish.h:103: error: syntax error before "prevCipher" >> twofish.h:103: warning: data definition has no type or storage class >> twofish.h:105: error: syntax error before "u_int32_t" >> twofish.h:105: warning: no semicolon at end of struct or union >> twofish.h:106: warning: data definition has no type or storage class >> twofish.h:107: error: syntax error before "magic" >> twofish.h:107: warning: data definition has no type or storage class >> twofish.h:108: error: syntax error before '}' token >> twofish.h:108: warning: data definition has no type or storage class >> twofish.h:111: error: syntax error before '}' token >> twofish.h:111: warning: data definition has no type or storage class >> twofish.h:133: error: syntax error before '*' token >> twofish.h:133: warning: data definition has no type or storage class >> twofish.h:143: error: syntax error before '*' token >> twofish.h:156: error: syntax error before "TWOFISH" >> twofish.h:167: error: syntax error before '*' token >> twofish.h:180: error: syntax error before "TWOFISH" >> twofish.h:194: error: syntax error before "TWOFISH" >> twofish.h:207: error: syntax error before "TWOFISH" >> twofish.h:229: error: syntax error before "TWOFISH" >> twofish.h:251: error: syntax error before "TWOFISH" >> twofish.h:256: error: syntax error before "TwoFish__b" >> twofish.h:256: error: syntax error before "x" >> twofish.h:256: warning: data definition has no type or storage class >> >> >> On Oct 14, 2009, at 17:45:25:EDT, Frank Knobbe wrote: >> >>> On Wed, 2009-10-14 at 00:29 -0400, J Carvalho wrote: >>>> Sorry for the intrusion. >>>> I've been working with Solaris 10 and was looking to see how snort >>>> and >>>> snortsam work with ipf. >>>> >>>> Has anyone had experience with which pkgs are required and were you >>>> able to pull them from Blastwave? >>> >>> I would suggest you pull Snortsam from CVS (or use the tarball from >>> the >>> web site) instead of relying on 3rd party packages. Snortsam >>> compiles >>> and runs fine on Solaris, on little or big endian systems. >>> Communication >>> across different endian platforms works too (for example, Snort on >>> Solaris on Intel, and Snortsam on Solaris on Sparc). >>> >>> I haven't compiled it recently (my Ultra 5 is catching dust under >>> the >>> table), but there weren't any changes that should prevent >>> compilation >>> under Solaris. >>> >>> Can't make recommendation about Snort, but the Snortsam plugin in >>> Snort >>> should still work fine under Solaris. >>> >>> >>> Regards, >>> Frank >>> >>> >>> _______________________________________________ >>> Snortsam-discussion mailing list >>> Snortsam-discussion at snortsam.net >>> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion >> >> _______________________________________________ >> Snortsam-discussion mailing list >> Snortsam-discussion at snortsam.net >> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion From frank at snortsam.net Thu Oct 15 21:26:01 2009 From: frank at snortsam.net (Frank Knobbe) Date: Thu, 15 Oct 2009 20:26:01 -0500 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <7643CD1A-4DA9-49BE-A1AE-BD7AAA6EE298@rmws.net> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> <1255556725.36301.58.camel@localhost> <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> <1255624206.73248.10.camel@localhost> <7643CD1A-4DA9-49BE-A1AE-BD7AAA6EE298@rmws.net> Message-ID: <1255656361.73248.87.camel@localhost> On Thu, 2009-10-15 at 12:36 -0400, J Carvalho wrote: > Yes, Wouter's suggestion does allow snortsam to compile. > I'm in the process of testing it now. > > That was the fix. I also needed uint8_t as well: > > /* We need u_int32_t and u_int16_t u_int8_t defined */ > #ifdef SOLARIS > #ifndef _uint_defined > #include > typedef uint32_t u_int32_t; > typedef uint16_t u_int16_t; > typedef uint8_t u_int8_t; > #define _uint_defined > #endif /* _uint_defined * Committed to CVS. (twofish.c and snortsam.h, just in case ...) I'm still working on some other optimizations in Snortsam. When committed, I'll roll a new tarball and update the web site. Thanks! Frank From diomar at rmws.net Thu Oct 15 21:37:10 2009 From: diomar at rmws.net (J Carvalho) Date: Thu, 15 Oct 2009 21:37:10 -0400 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <1255656361.73248.87.camel@localhost> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> <1255556725.36301.58.camel@localhost> <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> <1255624206.73248.10.camel@localhost> <7643CD1A-4DA9-49BE-A1AE-BD7AAA6EE298@rmws.net> <1255656361.73248.87.camel@localhost> Message-ID: On Oct 15, 2009, at 21:26:01:EDT, Frank Knobbe wrote: > On Thu, 2009-10-15 at 12:36 -0400, J Carvalho wrote: > >> Yes, Wouter's suggestion does allow snortsam to compile. >> I'm in the process of testing it now. >> >> That was the fix. I also needed uint8_t as well: >> >> /* We need u_int32_t and u_int16_t u_int8_t defined */ >> #ifdef SOLARIS >> #ifndef _uint_defined >> #include >> typedef uint32_t u_int32_t; >> typedef uint16_t u_int16_t; >> typedef uint8_t u_int8_t; >> #define _uint_defined >> #endif /* _uint_defined * > > > Committed to CVS. (twofish.c and snortsam.h, just in case ...) > > I'm still working on some other optimizations in Snortsam. When > committed, I'll roll a new tarball and update the web site. > > > Thanks! > Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion Thou art a Rockstar. Snortsam is still running on sol10. Looking at ipfilter syntax and why it's not behaving. --joe From diomar at rmws.net Fri Oct 16 15:28:13 2009 From: diomar at rmws.net (J Carvalho) Date: Fri, 16 Oct 2009 15:28:13 -0400 Subject: [Snortsam-discussion] Building snortsam and parts on Solaris 10? In-Reply-To: <1255656361.73248.87.camel@localhost> References: <9F9C136F-7784-49CC-8C19-728456D4C753@rmws.net> <1255556725.36301.58.camel@localhost> <67C97ACE-1A94-4E89-99A6-B062E2512E11@rmws.net> <1255624206.73248.10.camel@localhost> <7643CD1A-4DA9-49BE-A1AE-BD7AAA6EE298@rmws.net> <1255656361.73248.87.camel@localhost> Message-ID: On Oct 15, 2009, at 21:26:01:EDT, Frank Knobbe wrote: > On Thu, 2009-10-15 at 12:36 -0400, J Carvalho wrote: > >> Yes, Wouter's suggestion does allow snortsam to compile. >> I'm in the process of testing it now. >> >> That was the fix. I also needed uint8_t as well: >> >> /* We need u_int32_t and u_int16_t u_int8_t defined */ >> #ifdef SOLARIS >> #ifndef _uint_defined >> #include >> typedef uint32_t u_int32_t; >> typedef uint16_t u_int16_t; >> typedef uint8_t u_int8_t; >> #define _uint_defined >> #endif /* _uint_defined * > > > Committed to CVS. (twofish.c and snortsam.h, just in case ...) > > I'm still working on some other optimizations in Snortsam. When > committed, I'll roll a new tarball and update the web site. > > > Thanks! > Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion If there's anything else you'd need me to test, please let me know. I've been running snort->snortsam-> ipf on Solaris 10 using hping3 as a traffic generator. Testing of snortsam on a Virtualbox(v3.0.8) virtual machine, yields the following blocking rates. I'm using the host node(Centos5.3) as the hping traffic generator. 3 x hping3 --faster --rand-source sessions proved ideal at saturating the bridged interface. Limitations may be with hping3's address generation. This is on a Sun x6250/8 core/32GB Ram blade. These are worst-case traffic rates sent to a single vm's bridged interface: IPFilter rule-counts: ipfstat -ti 37351 rules ipfstat -to 37211 rules uptime 5:01am up 8:11, 3 users, load average: 10.44, 6.35, 3.83 as the rules expired or the random_ip_generator ran out of 'randomness), the load diminished. ipfstat -ti 10117 rules ipfstat -ti 10121 rules uptime 5:05am up 8:15, 3 users, load average: 3.29, 4.59, 3.69 From ohauer at gmx.de Fri Oct 16 16:31:56 2009 From: ohauer at gmx.de (olli hauer) Date: Fri, 16 Oct 2009 22:31:56 +0200 Subject: [Snortsam-discussion] null pointer exception in ssp_pf2.c Message-ID: <4AD8D83C.7070909@gmx.de> Hi, a null pointer exception can be triggered in the ssp_pf2.c module if the keyword pf2 without any further arguments is given. It looks ssp_pf.c is not affected, but it unloads the pf plugin even if there is another valid line configured. What is your suggestion about this? - apply default values - count valid lines and if valid lines <0 ignore the line fault line - unload the ssp_pf2 plugin and throw an error Regards, olli hauer The following patch results in the default settings if only the keyword pf2 is configured. Index: ssp_pf2.c =================================================================== RCS file: /cvsroot/snortsam/snortsam/src/ssp_pf2.c,v retrieving revision 3.1 diff -u -r3.1 ssp_pf2.c --- ssp_pf2.c 14 Apr 2009 18:50:45 -0000 3.1 +++ ssp_pf2.c 16 Oct 2009 20:19:23 -0000 @@ -112,7 +113,7 @@ printf("Debug: [pf2] Plugin Parsing...\n"); #endif - if (*val) + if (*val != 0) { if(parse_opts(val, options, " \t", "=", (sizeof(options)/sizeof(opt_pf2)))<0) @@ -122,6 +123,7 @@ plugindatalist->data=NULL; return; } + } pfp = safemalloc(sizeof(PF2DATA), "PF2Parse", "pfp"); bzero(pfp, sizeof(PF2DATA)); @@ -161,11 +167,10 @@ safecopy(pfp->tableout, tbuf); } - } From luis.daniel.lucio at gmail.com Fri Oct 16 17:02:28 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Fri, 16 Oct 2009 16:02:28 -0500 Subject: [Snortsam-discussion] null pointer exception in ssp_pf2.c In-Reply-To: <4AD8D83C.7070909@gmx.de> References: <4AD8D83C.7070909@gmx.de> Message-ID: <200910161602.29060.luis.daniel.lucio@gmail.com> Le vendredi 16 octobre 2009 15:31:56, olli hauer a ?crit : > Hi, > > a null pointer exception can be triggered in the ssp_pf2.c module if the > keyword pf2 without any further arguments is given. > > It looks ssp_pf.c is not affected, but it unloads the pf plugin even if > there is another valid line configured. > > What is your suggestion about this? > - apply default values > - count valid lines and if valid lines <0 ignore the line fault line > - unload the ssp_pf2 plugin and throw an error > > Regards, > olli hauer > > The following patch results in the default settings if only the keyword > pf2 is configured. > > > Index: ssp_pf2.c > =================================================================== > RCS file: /cvsroot/snortsam/snortsam/src/ssp_pf2.c,v > retrieving revision 3.1 > diff -u -r3.1 ssp_pf2.c > --- ssp_pf2.c 14 Apr 2009 18:50:45 -0000 3.1 > +++ ssp_pf2.c 16 Oct 2009 20:19:23 -0000 > @@ -112,7 +113,7 @@ > printf("Debug: [pf2] Plugin Parsing...\n"); > #endif > > - if (*val) > + if (*val != 0) > { > > if(parse_opts(val, options, " \t", "=", > (sizeof(options)/sizeof(opt_pf2)))<0) > @@ -122,6 +123,7 @@ > plugindatalist->data=NULL; > return; > } > + } > > pfp = safemalloc(sizeof(PF2DATA), "PF2Parse", "pfp"); > bzero(pfp, sizeof(PF2DATA)); > @@ -161,11 +167,10 @@ > safecopy(pfp->tableout, tbuf); > } > > - } > > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > Just think of this > + if (*val != 0) it is saffer if you put something like this if ((val) && (!*val)) because if val == null that if will fail From ohauer at gmx.de Fri Oct 16 19:01:48 2009 From: ohauer at gmx.de (olli hauer) Date: Sat, 17 Oct 2009 01:01:48 +0200 Subject: [Snortsam-discussion] suggestion for a README.pf2 Message-ID: <4AD8FB5C.3060000@gmx.de> Hi, since there is no README.pf2 I tried to write one. Regards, olli README.pf2 ------------------------------------------------------------------------------- 1. Description. This plugin is for IP blocking on different versions of *BSD Operating System. The plugin supports anchors and tables, but they will not created for you! It now uses a new kind of configuration options ( option=value option2=value2 etc. ) Please see 3. Options to obtain a full list of available options. Note : This is not a pf tutorial, please read the pf documentation to understand the concepts of anchors, tables, rulesets etc. . 2. Compatibility. This lastest release supports the following OS/Versions : OpenBSD > 4.0 FreeBSD > 6.0 with pf support (as module or compiled into the kernel) NetBSD ? with pf support 3. Options. This is the list of pf2 options that you can set in the configuration file: ---------------------------------------------------------------------------- anchor=[string] default is snortsam Sets the anchor name used to hold the tables/rulesets. To disable the usage of anchor use anchor=none or anchor=notused. table=[string] default is blockin,blockout The tablename in/outside an anchor. In addition to the table name the suffix 'in' and 'out' are added, so a table defined table=foo results into 'fooin' and 'fooout'. log=0/1 default log=0 If a IP is added/removed from a table snortsam will log a message in the file given with the logfile statement configured in snortsam.conf. Example pf2 config lines in snortsam.cfg: ------------------------------------------ 1) pf2 anchor=snortsam table=block log=1 - the tables blockin and blockout inside the anchor snortsam will be used. - logging is done to the file specified as logfile in snortsam config. 2) pf2 anchor=notused table=badguy - the tables badguyin and badguyout outside any anchor will be used. 3) pf2 log=1 anchor=none - tables blockin and blockout outside any anchor will be used. - logging is done to the file specified as logfile in snortsam config. Example pf.conf ---------------- 1) # filter rules anchor snortam load config from "/etc/pf.conf.snortsam" -- file /etc/pf.conf.snortsam -- # tables table persist table persist # filter rules block drop in quick log on bge0 from to any block drop in quick log on bge1 from any to 2) # tables table persist table persist # filter rules block drop in quick log on $if_ext from to any block drop in quick log on $if_int from any to 3) see example 2) All configuration options are parsed, no matter the OS/Version used, but not all the parsed options are used, that depends on the OS/Version used, see 4. Notes to get a list of used/relevant options in your OS/Version. 4. Notes. The pf2 plugin does not create any rules, it is up to you to write the ruleset which make usage of the two tables defined. Testing ------- The following signature expects snortsam configured with fwsam(in|out) as table name. Create snort signatures like this, probably in local.rules: alert tcp any any -> $your_ip 11110 (msg:"TEST log 11110/tcp"; \ sid:1111110;) alert tcp any any -> $your_ip 11111 (msg:"TEST block 11111/tcp"; \ sid:1111111; fwsam:src[in],5min;) - start snort and snortsam, verify the processes are running, check their logfiles for any errors; - verify that the test sigs fire and that alerting works before proceeding. I like to have snort log via syslog, do a "telnet $your_ip 11110" from any remote machine first, and then *expect* to see the "TEST log 11110/tcp" in syslog. If that doesn't work for you, *fix your configuration first*, it is pointless to continue without working alerting; - check that anchor, tables and rules exist after snortsam started, read the pfctl manpage; # with anchor # pfctl -vsA # pftcl -a fwsam -sT # pfctl -a fwsam -t blockin -Ts # pfctl -a fwsam -t blockin -sr # without anchor # pftcl -sT # pfctl -t blockin -Ts - test snortsam blocking with "telnet $your_ip 11111" from any remote machine. You should see a "TEST block 11111/tcp" alert in syslog, a message "Blocking $src_ip" in snortsam.log, and $src_ip listed in the output from "pfctl -a fwsam -t blockin -Ts" or "pfctl -t blockin -Ts" All traffic from $src_ip to $your_ip should be blocked now. After 5 minutes you should see "Unblocking $src_ip" in snortsam.log, $src_ip removed from the blockin table, and traffic from $src_ip to $your_ip should be allowed again. At least, that would be *expected* behavior. Prepare for debugging with pfctl if it doesn't work out right. ------------------------------------------------------------------------------- $Id$ From frank at snortsam.net Fri Oct 16 19:32:27 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 16 Oct 2009 18:32:27 -0500 Subject: [Snortsam-discussion] suggestion for a README.pf2 In-Reply-To: <4AD8FB5C.3060000@gmx.de> References: <4AD8FB5C.3060000@gmx.de> Message-ID: <1255735947.56794.27.camel@localhost> On Sat, 2009-10-17 at 01:01 +0200, olli hauer wrote: > since there is no README.pf2 I tried to write one. Dammit... I just released a new version. :) Sorry I didn't see your email until just now. I'll get to the pf2 fixes soon and will include this document as well. Regards, Frank From frank at snortsam.net Fri Oct 16 19:37:20 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 16 Oct 2009 18:37:20 -0500 Subject: [Snortsam-discussion] New Snortsam version 2.66 released Message-ID: <1255736240.56794.32.camel@localhost> Greetings (and apologies to Olli ;) I just released a new Snortsam version. Here the highlights: ** Wouter de Jong submitted a modified version of the Cisco Null Route plugin. It's named "cisconullroute2". The plugin has extended config options and supports tagged routes. ** I dusted off the old Microsoft Visual Studio project file. You can now choose between Normal and OPSEC, but also ISA2002 and ISA2004 modifications. ** The config option "blockonly" has been added. If used, all blocks are ignored unless they match IP's or networks on this list. This is useful is you only want to block addresses from a certain network range. ("dontblock" still applies to these ranges). An option "unblockonly" is also present, though I can't think of a good use case for it at the moment. But the functionality is there. ** I made several changes to how the IP's are stored internally to improve performance when massive amounts of IP's are on the block list. In addition, the statefile is only saved in 5 sec intervals now to avoid excessive disk I/O. New Windows binaries have been compiled, and CVS and source tar ball have been updated to version 2.66. Enjoy, Frank