[Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'.
Wouter de Jong
maddog2k at maddog2k.net
Thu Oct 8 04:52:08 EDT 2009
Hi Rob,
This is exactly what I did...
That's why I posted the 'strings /usr/sbin/snort | grep -i fwsam' output as
'proof',
cause I knew I'd get a reaction like yours, but apparently it was still not
clear :))
In the mean time, I've downgraded to Snort 2.8.4.1,
build it in exact the same way as 2.8.5 but with the 2.8.4.1 snortsam-patch
and that works ok.
So there seems to be something wrong with the patch for 2.8.5 ...
Best regards,
Wouter
-----Original Message-----
From: snortsam-discussion-bounces at snortsam.net
[mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Rob Sly
Sent: Wednesday, October 07, 2009 17:47
To: snortsam-discussion at snortsam.net
Subject: Re: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule
option:'fwsam'.
You need to download the patch file from
http://www.snortsam.net/download.html for the specific version of snort that
you are using, and patch the sourcecode for snort, to add in snortsam. Then
you need to configure and compile, and you should be able to get it working.
Post back on your success or if you need further help.
--------------------------------------------------
From: "Wouter de Jong" <maddog2k at maddog2k.net>
Sent: Wednesday, October 07, 2009 9:26 AM
To: <snortsam-discussion at snortsam.net>
Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule
option:'fwsam'.
> Hi,
>
> I can't get Snort 2.8.5 (patched with the Snortsam patch) to work ...
> As soon as I want to load a test-rule like this :
>
> alert icmp any any -> $HOME_NET any (msg:"ICMP test"; dsize:>1400;
> sid:1000001; fwsam: src, 20 minutes;)
>
> I get the following :
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR: /etc/snort/rules/local.rules(7) Unknown rule option: 'fwsam'.
> Fatal Error, Quitting..
>
> Snort does have Snortsam compiled in, because a 'string /usr/sbin/snort |
> grep -i fwsam' reveals lines like :
>
> ERROR => [Alert_FWsam](FWsamCheckOut) Funky socket error (socket)!
> ERROR => [Alert_FWsam](FWsamCheckOut) Could not bind socket!
> INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host %s.
> INFO => [Alert_FWsam](FWsamCheckOut) Had to use initial key!
>
> etc, etc.
>
> Am I missing something here ?
>
> Best regards,
>
> Wouter de Jong
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
_______________________________________________
Snortsam-discussion mailing list
Snortsam-discussion at snortsam.net
http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
More information about the Snortsam-discussion
mailing list