From sslaytor at iom.com Mon Sep 14 16:54:31 2009 From: sslaytor at iom.com (Simon Slaytor) Date: Mon, 14 Sep 2009 21:54:31 +0100 Subject: [Snortsam-discussion] Compiling SnortSam on OpenBSD 4.5 Message-ID: <4AAEAD87.6090108@iom.com> Hi Folks, New to the list so be gentle ;-) I'm trying to build/install SnortSam 2.6 (tried CVS & tar ball) on OpenBSD 4.5 (AMD64) however I'm having a bit of trouble. Doing a ./makesnortsam.sh from the default code base gets me the following: ------------------------------------------------------------------------------- Building SnortSam (release) ------------------------------------------------------------------------------- ssp_pf.c: In function `PFParse': ssp_pf.c:300: error: structure has no member named `anchorname' ssp_pf.c:343: error: structure has no member named `pfrt_ruleset' ssp_pf.c:367: error: structure has no member named `ruleset' ssp_pf.c:367: error: `PF_RULESET_NAME_SIZE' undeclared (first use in this function) ssp_pf.c:367: error: (Each undeclared identifier is reported only once ssp_pf.c:367: error: for each function it appears in.) ssp_pf.c:429: error: structure has no member named `pfrt_ruleset' ssp_pf.c:453: error: structure has no member named `ruleset' ssp_pf.c:515: error: structure has no member named `pfrt_ruleset' ssp_pf.c:540: error: structure has no member named `ruleset' ssp_pf.c:599: error: structure has no member named `ruleset' ssp_pf.c: In function `PFBlock': ssp_pf.c:820: error: structure has no member named `pfrt_ruleset' ssp_pf.c:820: error: `PF_RULESET_NAME_SIZE' undeclared (first use in this function) ssp_pf.c:847: error: structure has no member named `pfrt_ruleset' ssp_pf.c:866: error: structure has no member named `pfrt_ruleset' ssp_pf.c:885: error: structure has no member named `pfrt_ruleset' ssp_pf.c:957: error: structure has no member named `pfrt_ruleset' ssp_pf.c:984: error: structure has no member named `pfrt_ruleset' ssp_pf.c:1003: error: structure has no member named `pfrt_ruleset' ssp_pf.c:1022: error: structure has no member named `pfrt_ruleset' gcc: ssp_pf.o: No such file or directory ------------------------------------------------------------------------------- Building SnortSam (debug) ------------------------------------------------------------------------------- ssp_pf.c: In function `PFParse': ssp_pf.c:300: error: structure has no member named `anchorname' ssp_pf.c:343: error: structure has no member named `pfrt_ruleset' ssp_pf.c:367: error: structure has no member named `ruleset' ssp_pf.c:367: error: `PF_RULESET_NAME_SIZE' undeclared (first use in this function) ssp_pf.c:367: error: (Each undeclared identifier is reported only once ssp_pf.c:367: error: for each function it appears in.) ssp_pf.c:429: error: structure has no member named `pfrt_ruleset' ssp_pf.c:453: error: structure has no member named `ruleset' ssp_pf.c:515: error: structure has no member named `pfrt_ruleset' ssp_pf.c:540: error: structure has no member named `ruleset' ssp_pf.c:599: error: structure has no member named `ruleset' ssp_pf.c: In function `PFBlock': ssp_pf.c:820: error: structure has no member named `pfrt_ruleset' ssp_pf.c:820: error: `PF_RULESET_NAME_SIZE' undeclared (first use in this function) ssp_pf.c:847: error: structure has no member named `pfrt_ruleset' ssp_pf.c:866: error: structure has no member named `pfrt_ruleset' ssp_pf.c:885: error: structure has no member named `pfrt_ruleset' ssp_pf.c:957: error: structure has no member named `pfrt_ruleset' ssp_pf.c:984: error: structure has no member named `pfrt_ruleset' ssp_pf.c:1003: error: structure has no member named `pfrt_ruleset' ssp_pf.c:1022: error: structure has no member named `pfrt_ruleset' gcc: ssp_pf.o: No such file or directory Done. I did some googling and I found someone who had built snortsam on OpenBSD 4.4, following the posters details I have added the following to the src/ssp_pf.h file, updated for 4.5 over 4.4. #ifdef OpenBSD4_5 #define USENEWCODE #define OpenBSD3_6 OpenBSD3_7 #endif Now I get the following when trying to compile SnortSam. ------------------------------------------------------------------------------- Building SnortSam (release) ------------------------------------------------------------------------------- ssp_pf2.o(.text+0x0): In function `parse_opts': : multiple definition of `parse_opts' ssp_pf.o(.text+0x0): first defined here snortsam.o(.text+0xada): In function `remspace': : warning: strcpy() is almost always misused, please use strlcpy() collect2: ld returned 1 exit status ------------------------------------------------------------------------------- Building SnortSam (debug) ------------------------------------------------------------------------------- ssp_pf2.o(.text+0x0): In function `parse_opts': : multiple definition of `parse_opts' ssp_pf.o(.text+0x0): first defined here snortsam.o(.text+0xb6a): In function `remspace': : warning: strcpy() is almost always misused, please use strlcpy() collect2: ld returned 1 exit status Done. Any help would be appreciated. Thanks Simon From frank at snortsam.net Tue Sep 15 15:55:57 2009 From: frank at snortsam.net (Frank Knobbe) Date: Tue, 15 Sep 2009 14:55:57 -0500 Subject: [Snortsam-discussion] Compiling SnortSam on OpenBSD 4.5 In-Reply-To: <4AAEAD87.6090108@iom.com> References: <4AAEAD87.6090108@iom.com> Message-ID: <1253044557.93415.3.camel@localhost> On Mon, 2009-09-14 at 21:54 +0100, Simon Slaytor wrote: > I'm trying to build/install SnortSam 2.6 (tried CVS & tar ball) on > OpenBSD 4.5 (AMD64) however I'm having a bit of trouble. [...] > I did some googling and I found someone who had built snortsam on > OpenBSD 4.4, following the posters details I have added the following to > the src/ssp_pf.h file, updated for 4.5 over 4.4. > > #ifdef OpenBSD4_5 > #define USENEWCODE > #define OpenBSD3_6 OpenBSD3_7 > #endif > Yeah, the pf code needs to be updated and cleaned-up a bit. Any volunteers to rewrite it so that the constant updating of the version DEFINE can be removed? > Now I get the following when trying to compile SnortSam. > > ------------------------------------------------------------------------------- > Building SnortSam (release) > ------------------------------------------------------------------------------- > ssp_pf2.o(.text+0x0): In function `parse_opts': > : multiple definition of `parse_opts' > ssp_pf.o(.text+0x0): first defined here > snortsam.o(.text+0xada): In function `remspace': > : warning: strcpy() is almost always misused, please use strlcpy() > collect2: ld returned 1 exit status Don't worry about the strcpy warning, it's not misused in remspace :) As far as the other issues, since you fixed up ssp_pf.c, use only that. Do not compile ssp_pf.c and ssp_pf2.c at the same time. Choose one. So, go ahead and remove the ssp_pf2 references from plugins.h. Remove the include of ssp_pf2.h at the top, and remove the plugin section for pf2 in the list of plugins. Then recompile again. All should be well then. Regards, Frank From frank at snortsam.net Tue Sep 15 18:37:29 2009 From: frank at snortsam.net (Frank Knobbe) Date: Tue, 15 Sep 2009 17:37:29 -0500 Subject: [Snortsam-discussion] Compiling SnortSam on OpenBSD 4.5 In-Reply-To: <1253044557.93415.3.camel@localhost> References: <4AAEAD87.6090108@iom.com> <1253044557.93415.3.camel@localhost> Message-ID: <1253054249.93415.50.camel@localhost> On Tue, 2009-09-15 at 14:55 -0500, Frank Knobbe wrote: > [...] So, > go ahead and remove the ssp_pf2 references from plugins.h. Remove the > include of ssp_pf2.h at the top, and remove the plugin section for pf2 > in the list of plugins. Then recompile again. All should be well then. Oh, also remove any ssp_pf2.c or .o references from the Makefile in src (if using make) or the makesnortsam.sh script. Cheers, Frank From frank at snortsam.net Tue Sep 15 23:57:39 2009 From: frank at snortsam.net (Frank Knobbe) Date: Tue, 15 Sep 2009 22:57:39 -0500 Subject: [Snortsam-discussion] New Snortsam version 2.61 Message-ID: <1253073459.93415.58.camel@localhost> Greetings, I just committed a small update to Snortsam, now at version 2.61, which includes: -- The config option DONTUNBLOCK. DONTBLOCK only filters block requests and unblock requests had always been forwarded unfiltered. Using DONTUNBLOCK, you can now ignore unblock requests for specific hosts/networks. -- The forwarder plugin received a small patch so that it now prevents forwarding a request back to an IP address where it received the request from. Regards, Frank From luis.daniel.lucio at gmail.com Thu Sep 17 13:43:50 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Thu, 17 Sep 2009 12:43:50 -0500 Subject: [Snortsam-discussion] New Snortsam version 2.61 In-Reply-To: <1253073459.93415.58.camel@localhost> References: <1253073459.93415.58.camel@localhost> Message-ID: <200909171243.50871.luis.daniel.lucio@gmail.com> Le mardi 15 septembre 2009 22:57:39, Frank Knobbe a ?crit : > Greetings, > > I just committed a small update to Snortsam, now at version 2.61, which > includes: > > -- The config option DONTUNBLOCK. DONTBLOCK only filters block requests > and unblock requests had always been forwarded unfiltered. Using > DONTUNBLOCK, you can now ignore unblock requests for specific > hosts/networks. > > -- The forwarder plugin received a small patch so that it now prevents > forwarding a request back to an IP address where it received the request > from. > > Regards, > Frank > > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > Cool, I'll packaged for Mandriva Does it has de towfish patch already done? Does it compile agains new snort 2.8.5? Kind regards, LD From frank at snortsam.net Fri Sep 18 15:17:06 2009 From: frank at snortsam.net (Frank Knobbe) Date: Fri, 18 Sep 2009 14:17:06 -0500 Subject: [Snortsam-discussion] New Snortsam version 2.61 In-Reply-To: <200909171243.50871.luis.daniel.lucio@gmail.com> References: <1253073459.93415.58.camel@localhost> <200909171243.50871.luis.daniel.lucio@gmail.com> Message-ID: <1253301426.72224.16.camel@localhost> On Thu, 2009-09-17 at 12:43 -0500, Luis Daniel Lucio Quiroz wrote: > Cool, > > I'll packaged for Mandriva > > Does it has de towfish patch already done? > Does it compile agains new snort 2.8.5? This is only Snortsam itself, not the patch for Snort. That's still unchanged. I'll soon be updating the Snort piece to add persistent TCP connections and the fixed Twofish code. I'm planning on doing this right after the Barnyard2 plugin. The idea was to write that, back port it to Barnyard1 and Snort. Regards, Frank From frank at snortsam.net Sat Sep 19 22:08:17 2009 From: frank at snortsam.net (Frank Knobbe) Date: Sat, 19 Sep 2009 21:08:17 -0500 Subject: [Snortsam-discussion] New Snortsam version 2.63 Message-ID: <1253412497.21902.4.camel@localhost> Greetings, Snortsam has again been updated. It's now at version 2.63. Fixes in this release include: - Added ifdefs around a couple missed mutexes so that Snortsam compiles fine on Windows again. - Fixed the issue with Snortsam crashing under certain conditions when using persistent TCP connections and a remote connection disappeared. This has survived brutal testing in the lab, so I committed the change to the new version. CVS and the source tarball on web and FTP have been updated. Regards, Frank From luis.daniel.lucio at gmail.com Tue Sep 22 22:53:45 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Tue, 22 Sep 2009 21:53:45 -0500 Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available - now 2.8.5 In-Reply-To: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> Message-ID: <200909222153.45826.luis.daniel.lucio@gmail.com> Le mardi 23 juin 2009 12:27:42, Babak Farrokhi a ?crit : > Hi, > > Unfortunately the diff contains twofish implementation version 1.5 > which is not 64-bit safe. > Please see the attached diff that is basically the same diff with > twofish version 2.1. > For all -------------- next part -------------- A non-text attachment was scrubbed... Name: snortsam-2.8.5-dlucio.diff Type: text/x-patch Size: 113802 bytes Desc: not available Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090922/8d1c5da5/snortsam-2.8.5-dlucio-0001.bin From frank at snortsam.net Wed Sep 23 09:56:58 2009 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 23 Sep 2009 08:56:58 -0500 Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available - now 2.8.5 In-Reply-To: <200909222153.45826.luis.daniel.lucio@gmail.com> References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> <200909222153.45826.luis.daniel.lucio@gmail.com> Message-ID: <1253714218.33713.7.camel@localhost> On Tue, 2009-09-22 at 21:53 -0500, Luis Daniel Lucio Quiroz wrote: > For all The patch for Snort 2.8.5 has been uploaded to the web site. Thanks Luis! -Frank From luis.daniel.lucio at gmail.com Wed Sep 23 12:07:09 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Wed, 23 Sep 2009 11:07:09 -0500 Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available - now 2.8.5 In-Reply-To: <1253714218.33713.7.camel@localhost> References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> <200909222153.45826.luis.daniel.lucio@gmail.com> <1253714218.33713.7.camel@localhost> Message-ID: <200909231107.09373.luis.daniel.lucio@gmail.com> Le mercredi 23 septembre 2009 08:56:58, Frank Knobbe a ?crit : > On Tue, 2009-09-22 at 21:53 -0500, Luis Daniel Lucio Quiroz wrote: > > For all > > The patch for Snort 2.8.5 has been uploaded to the web site. > > Thanks Luis! > > -Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > Anytime I got this: ../../../../src/output-plugins/spo_alert_fwsam.c:201: error: 'pv' undeclared (first use in this function) ../../../../src/output-plugins/spo_alert_fwsam.c:399: error: 'NT_OUTPUT_ALERT' undeclared (first use in this function) Do I'mmissing something, agains 2.8.5 From luis.daniel.lucio at gmail.com Wed Sep 23 13:26:20 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Wed, 23 Sep 2009 12:26:20 -0500 Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available - now 2.8.5 In-Reply-To: <1253714218.33713.7.camel@localhost> References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> <200909222153.45826.luis.daniel.lucio@gmail.com> <1253714218.33713.7.camel@localhost> Message-ID: <200909231226.21012.luis.daniel.lucio@gmail.com> Le mercredi 23 septembre 2009 08:56:58, Frank Knobbe a ?crit : > On Tue, 2009-09-22 at 21:53 -0500, Luis Daniel Lucio Quiroz wrote: > > For all > > The patch for Snort 2.8.5 has been uploaded to the web site. > > Thanks Luis! > > -Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > Sorry it its broken I've done several thinks on fixint it How ever I cant realize this: extern PV pv; PV declaration used to be in snort.h file. but now it is gone. I cand find where is the new PV declaration, or we should save old declaration from old snort.h? TIA -------------- next part -------------- A non-text attachment was scrubbed... Name: snortsam-2.8.5-dlucio.diff Type: text/x-patch Size: 113818 bytes Desc: not available Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090923/b5b0c154/snortsam-2.8.5-dlucio-0001.bin From frank at snortsam.net Wed Sep 23 13:38:49 2009 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 23 Sep 2009 12:38:49 -0500 Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available - now 2.8.5 In-Reply-To: <200909231107.09373.luis.daniel.lucio@gmail.com> References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> <200909222153.45826.luis.daniel.lucio@gmail.com> <1253714218.33713.7.camel@localhost> <200909231107.09373.luis.daniel.lucio@gmail.com> Message-ID: <1253727529.33713.34.camel@localhost> On Wed, 2009-09-23 at 11:07 -0500, Luis Daniel Lucio Quiroz wrote: > I got this: > ../../../../src/output-plugins/spo_alert_fwsam.c:201: error: 'pv' undeclared > (first use in this function) > ../../../../src/output-plugins/spo_alert_fwsam.c:399: error: 'NT_OUTPUT_ALERT' > undeclared (first use in this function) > > Do I'mmissing something, agains 2.8.5 I removed it again until issues with 2.8.5 are figured out. -Frank From luis.daniel.lucio at gmail.com Wed Sep 23 16:10:12 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Wed, 23 Sep 2009 15:10:12 -0500 Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available - now 2.8.5 In-Reply-To: <1253727529.33713.34.camel@localhost> References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> <200909231107.09373.luis.daniel.lucio@gmail.com> <1253727529.33713.34.camel@localhost> Message-ID: <200909231510.12896.luis.daniel.lucio@gmail.com> Le mercredi 23 septembre 2009 12:38:49, Frank Knobbe a ?crit : > On Wed, 2009-09-23 at 11:07 -0500, Luis Daniel Lucio Quiroz wrote: > > I got this: > > ../../../../src/output-plugins/spo_alert_fwsam.c:201: error: 'pv' > > undeclared (first use in this function) > > ../../../../src/output-plugins/spo_alert_fwsam.c:399: error: > > 'NT_OUTPUT_ALERT' undeclared (first use in this function) > > > > Do I'mmissing something, agains 2.8.5 > > I removed it again until issues with 2.8.5 are figured out. > > -Frank > > > _______________________________________________ > Snortsam-discussion mailing list > Snortsam-discussion at snortsam.net > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion > Done!!! It compilles, there are several functions that has change its name. I was supported directly by Snort Team. I hope someone could test. Mandriva 2.8.5 RPM is being built right now, if someone wonder to test using my rpms. -------------- next part -------------- A non-text attachment was scrubbed... Name: snortsam-2.8.5-dlucio.diff Type: text/x-patch Size: 113944 bytes Desc: not available Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090923/edf8f5d8/snortsam-2.8.5-dlucio-0001.bin From frank at snortsam.net Wed Sep 23 19:18:07 2009 From: frank at snortsam.net (Frank Knobbe) Date: Wed, 23 Sep 2009 18:18:07 -0500 Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available - now 2.8.5 In-Reply-To: <200909231510.12896.luis.daniel.lucio@gmail.com> References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> <200909231107.09373.luis.daniel.lucio@gmail.com> <1253727529.33713.34.camel@localhost> <200909231510.12896.luis.daniel.lucio@gmail.com> Message-ID: <1253747887.33713.62.camel@localhost> On Wed, 2009-09-23 at 15:10 -0500, Luis Daniel Lucio Quiroz wrote: > Done!!! > It compilles, there are several functions that has change its name. I was > supported directly by Snort Team. I hope someone could test. > > Mandriva 2.8.5 RPM is being built right now, if someone wonder to test using > my rpms. Nice work, thanks. I'll put that diff out shortly. Also, if you have the RPM, please pass it on and I put it on the web site as well. Thanks, Frank From luis.daniel.lucio at gmail.com Wed Sep 23 19:39:10 2009 From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz) Date: Wed, 23 Sep 2009 18:39:10 -0500 Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available - now 2.8.5 In-Reply-To: <1253747887.33713.62.camel@localhost> References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com> <200909231510.12896.luis.daniel.lucio@gmail.com> <1253747887.33713.62.camel@localhost> Message-ID: <200909231839.10167.luis.daniel.lucio@gmail.com> Le mercredi 23 septembre 2009 18:18:07, Frank Knobbe a ?crit : > On Wed, 2009-09-23 at 15:10 -0500, Luis Daniel Lucio Quiroz wrote: > > Done!!! > > It compilles, there are several functions that has change its name. I > > was supported directly by Snort Team. I hope someone could test. > > > > Mandriva 2.8.5 RPM is being built right now, if someone wonder to test > > using my rpms. > > Nice work, thanks. I'll put that diff out shortly. Also, if you have the > RPM, please pass it on and I put it on the web site as well. > > Thanks, > Frank > RPM is availabe at Mandriva's mirrors, both snort patched (main) and snortsam (contrib)