[Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule option:'fwsam'.
David Gomes
skysbsb at gmail.com
Thu Oct 8 08:19:13 EDT 2009
Yes, there is something wrong, i have tried the same thing that u just do
now before, and get into the same error.
The patch for 2.8.5 in the snortsam site, is not really for 2.8.5, but for
2.8.4.1 like u see in the header of the file:
diff -ruN snort-2.8.4.1.orig/autojunk.sh snort-2.8.4.1/autojunk.sh
--- snort-2.8.4.1.orig/autojunk.sh 1970-01-01 03:30:00.000000000 +0330
+++ snort-2.8.4.1/autojunk.sh 2009-06-23 16:40:44.000000000 +0430
Is just the same 2.8.4.1 patch. I think the snortsam team has not release
the 2.8.5 patch yet.
On Thu, Oct 8, 2009 at 5:52 AM, Wouter de Jong <maddog2k at maddog2k.net>wrote:
> Hi Rob,
>
> This is exactly what I did...
> That's why I posted the 'strings /usr/sbin/snort | grep -i fwsam' output as
> 'proof',
> cause I knew I'd get a reaction like yours, but apparently it was still not
> clear :))
>
> In the mean time, I've downgraded to Snort 2.8.4.1,
> build it in exact the same way as 2.8.5 but with the 2.8.4.1 snortsam-patch
> and that works ok.
>
> So there seems to be something wrong with the patch for 2.8.5 ...
>
> Best regards,
>
> Wouter
>
>
> -----Original Message-----
> From: snortsam-discussion-bounces at snortsam.net
> [mailto:snortsam-discussion-bounces at snortsam.net] On Behalf Of Rob Sly
> Sent: Wednesday, October 07, 2009 17:47
> To: snortsam-discussion at snortsam.net
> Subject: Re: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule
> option:'fwsam'.
>
> You need to download the patch file from
> http://www.snortsam.net/download.html for the specific version of snort
> that
>
> you are using, and patch the sourcecode for snort, to add in snortsam.
> Then
>
> you need to configure and compile, and you should be able to get it
> working.
>
> Post back on your success or if you need further help.
>
> --------------------------------------------------
> From: "Wouter de Jong" <maddog2k at maddog2k.net>
> Sent: Wednesday, October 07, 2009 9:26 AM
> To: <snortsam-discussion at snortsam.net>
> Subject: [Snortsam-discussion] Snort 2.8.5 + Snortsam : Unknown rule
> option:'fwsam'.
>
> > Hi,
> >
> > I can't get Snort 2.8.5 (patched with the Snortsam patch) to work ...
> > As soon as I want to load a test-rule like this :
> >
> > alert icmp any any -> $HOME_NET any (msg:"ICMP test"; dsize:>1400;
> > sid:1000001; fwsam: src, 20 minutes;)
> >
> > I get the following :
> >
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > ERROR: /etc/snort/rules/local.rules(7) Unknown rule option: 'fwsam'.
> > Fatal Error, Quitting..
> >
> > Snort does have Snortsam compiled in, because a 'string /usr/sbin/snort |
> > grep -i fwsam' reveals lines like :
> >
> > ERROR => [Alert_FWsam](FWsamCheckOut) Funky socket error (socket)!
> > ERROR => [Alert_FWsam](FWsamCheckOut) Could not bind socket!
> > INFO => [Alert_FWsam](FWsamCheckOut) Disconnecting from host %s.
> > INFO => [Alert_FWsam](FWsamCheckOut) Had to use initial key!
> >
> > etc, etc.
> >
> > Am I missing something here ?
> >
> > Best regards,
> >
> > Wouter de Jong
> >
> > _______________________________________________
> > Snortsam-discussion mailing list
> > Snortsam-discussion at snortsam.net
> > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
> >
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20091008/a36b5846/attachment.html
More information about the Snortsam-discussion
mailing list