Bug 196046
| Summary: | Dynamic preprocessor libraries missing. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Chuck H <wilcoj> | ||||
| Component: | snort | Assignee: | Dennis Gilmore <dennis> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5 | CC: | davej, extras-qa, marcus, pmacedo, rhbz001 | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i386 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | 2.6.0.2-2 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-10-10 20:12:32 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Chuck H
2006-06-20 16:39:46 UTC
I am working on adding support for the dynamic preprocessor support. there will be an update this week. however the snort.conf as shipped with the package will not work as there are no rules packaged. Unfortunately this is one of those packages that can not be shipped in a manner that you can install and have it just work. *** Bug 202451 has been marked as a duplicate of this bug. *** snort-2.6.0-3.fc5 as released still exhibits this problem. I removed all previous traces of snort and tried a clean install and still cannot start snort. did you get the rules from http://snort.org/rules/ they are released under the VRT license http://snort.org/about_snort/licenses/vrt_license.html which is not open source and while we may be able to meet the terms fro redistribution alot of end users can not and must buy the commercial license for the rules. I Do still need to tweak the config file a little but I really cannot make snort installable in some way where it will just work for you. It will take some work on your behalf to have things working. Would it help if i make a spec file for the rules and include it in the documentation so you can easily roll your own rules rpm? Sorry, I know you are doing this on your own and without much gratitude or compensation. So thank you for working on this. The rules are not my problem. I am using oinkmaster and updating the rules regularly. My problem is with the dynamic preprocessor not seeming to be compilied into this distribution. To eliminate a potential problem with verbage, were you trying to tell me that the dynamic prepocessors are not able to be distributed with this precompiled snort? If so I must have misread the license agreement. In any case, I pulled the snort source and compiled myself and was able to get snort running with all the bells and whistles including dynamic preprocessors. I am not supposed to compile anything in this environment though, so a prebuilt distro is much preferred. Please let me know if there is anything I can do to help clarify or rectify the problem. if you do a rpm -ql snort it will shouw you the dynamic preprocessors are indeed included /usr/lib64/snort/libsf_engine.so on my x86_64 box and /usr/lib/snort/libsf_engine.so on a 32 bit box. i need to do a sed substitution in the spec to have it ingoing to the right location FromHost ******* ReceivedAt 2006-09-06 16:41:16 DeviceReportedTime 2006-09-06 16:41:16 Message FATAL ERROR: /etc/snort/snort.conf(182) => Unknown rule type: dynamicpreprocessor Facility 3 Severity ERROR SysLogTag snort[9324]: This is the error I receive when attempting to start snort. You are correct that the files you indicated were compiled and are included. That does not mean that the snort binary knows what to do with them. Also of interest is that the smtp and ftp_telnet dynamic preprocessor modules are not distributed with this package either and are both enabled by default in the config. How about including the community rules? http://www.snort.org/pub-bin/downloads.cgi#COMM also, snort needs iis unicode.map to start which is not include in the rpm. Please be assured that my problem is not with the rules files. I use oinkmaster to pull the appropriate files nightly. The error is simply stating that the snort binary does not know how to interpret the command "dynamicpreprocessor" which tells snort to use the indicated modules following this command. (In my post showing the error, dynamicpreprocessor should be on the same line as "Unknown rule type:". If you look at your snort.conf file, you will probably see this command, (but it would have to be commented out using this distribution.)The dynamic preprocessor is responsible for doing more "advanced" scanning for specific protocols such as ftp, smtp, http, etc. One thing I have failed to mention, is that snort will still function without these. In my opinion, it is not as robust if you are not taking advantage of these "advanced" features though. Having reviewed the SPEC file being used for 2.6.0-3, it does not compile with --enable-dynammicplugin which tells snort its actually using these. Further, it needs to include the rest of the dynamic plugins. Until these issues can be ironed out, can you please re-publish 2.4.4-4.fc5/fc4 since it was working well. The snort 2.6.x branch is not exactly stable right now. Thanks I've been working on getting snort to work here and it seems I found part of the solution for part of the issue. The dynamic plugins werent being built, since the option that enables them was missing. Just adding "--enable-dynamicplugin" to the base snort config options builds them, but they still dont get packaged. I'm currently trying to figure this out. Created attachment 137765 [details]
Patch to build and package the dynamic preprocessor files
This patch adds the --enable-dynamicplugin option to SNORT_BASE_CONFIG and also
packages the .so files from the dynamic preprocessor. I'm certain my patch can
be a little tweaked (since I'm not very experienced with RPM packaging), but
it's currently functional (the user still needs to edit the snort.conf file to
replace the dynamicpreprocessor directive to point to
/usr/lib/snort/dynamicpreprocessor ) .
OK i just committed a build of 2.6.0.2 for rawhide i have enabled dynamicplugins there are three of them currently smtp dns and ftp the snort.conf file should be pointing at them I have added some other files in /etc/snort/ that are included in the tarball I want to make sure this is working. Id like to package up the community rules in a separate package so that they can be updated independently. If anyone wants to do it feel free to. Please provide some feedback if things are still not correct Just rebuilt the package from cvs on FC5 and it builds and works correctly here. Closing this as fixed please file new reports if you find any new issues Is this supposed to be fixed in 2.6.0.2-2? I still don't see the snort-2.6.0.2-2 file on my system. (In reply to comment #17) > I still don't see the snort-2.6.0.2-2 file on my system. Sorry, I meant libsf_engine.so |