Old Computer....New Problems

The year was 2006 and flush with some bonus cash we decided to buy a new computer. We settled on a Sony Vaio RS710GX package because it was on sale and had everything we needed.

As time passed, prices dropped, and next thing you know everyone had their own laptop. So, the Vaio was relegated to being a print server/file store...and the computer on which I did the taxes/bills/job hunting/etc.

Eventually I upgraded it to 1GB RAM and Windows7. We bought the Windows7 family upgrade which comes with 3 licenses. However, we have 3 other laptops in the house and eventually I decided that instead of wasting a license on the Vaio I'd use it to upgrade the new and more powerful laptops.

So, I've got to decide what I want to do...which OS will I go with?

First, lets look at what I HAVE to be able to do on the new OS:

• Manage my Ipod
• Spreadsheets for finances
• Web
• DVD/CD creation
• Ease of use/updates/support

My first choice would have been Solaris, I use it at work and I love it for the servers I manage....but....its performance is not great on the home desktop. Add to that the fact that Oracle is clamping down on licenses and support for Solaris and that OpenSolaris isn't as active as it had been in the past. Also, I don't want to spend a lot of time compiling OpenSource programs for Solaris...when the Linux support for those Apps is already there.

So, I decide on Linux....Ubuntu in particular. It's known for its ease of use, it clean interface and packaging, it's large repository of Software packages, active support community....it seemed like the way to go.

I first try 11.10 which was the latest version at the time. Running from the live CD worked great...but all attempts to install failed during the grub install. You can see that adventure here: https://answers.launchpad.net/ubuntu/+source/grub-installer/+question/182142

Ubuntu 11.x based distro's (LinuxMint) also failed with the same error. However, other distro's succeeded (Solaris, Backtrack, Auditor). In fact BackTrack5 which is an ubuntu 10.x based distro installs. So, instead of using the 11.x I decide to go with Ubuntu 10.04 LTS. BOOOSH! it works like a champ.

The Nvidia drivers installed easy enough through the Hardware Drivers GUI, although I did need to manually edit the xorg.conf to set the refresh rates for the monitor. I didn't HAVE to install the nvidia drivers, the default nouveau drivers worked pretty well at 1024x768...but I wanted 1280x1024 which required the drivers.

I then used ndiswrapper to set-up the Netgear WG311v3 wireless interface...and biggity bam...I was up and running.

So let's look to see if it met my requirements:

• Rythmbox - Manage my Ipod
• OpenOffice - Spreadsheets for finances
• Firefox/Chrome - Web
• Brasero/cmd line - DVD/CD creation
• Community/update manager/etc.. - Ease of use/updates/support

10.04 is still a gnome distro, which I find I like better than the newer unbiquity interface in 11.10 (from the liveCD...since I couldn't resolve the grub install issue).

Snort 2.9.1.2 Solaris and SegFaults

As previously posted, I was able to compile and run Snort 2.9.1.2 on Solaris10 with a little work.

However, that was on my development system which is a Solaris VM running on my MacBook, and I found that when I take the Solaris Package I built on the VM and install it on a SunFire X4400 M2 (x86 NOT SPARC)...it would crash with a SegFault and drop a core file:

       --== Initialization Complete ==--

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.9.1.2 IPv6 GRE (Build 84)
  ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2011 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 8.12 2011-01-15
          Using ZLIB version: 1.1.4

          Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.15

          Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  
4>
          Preprocessor Object: SF_SSH (IPV6)  Version 1.1  
          Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  
          Preprocessor Object: SF_SIP (IPV6)  Version 1.1  
          Preprocessor Object: SF_SDF (IPV6)  Version 1.1  
          Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1

          Preprocessor Object: SF_POP (IPV6)  Version 1.0  
          Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  
          Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2

          Preprocessor Object: SF_DNS (IPV6)  Version 1.1  
          Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  
3>
Commencing packet processing (pid=24487)
Segmentation Fault (core dumped)

Obviously this annoyed me to no end...because it wasn't my dev system that I wanted to run this package on.  It was also the first time I've had a package built on my Dev VM crash when moved the the SunFire server. In theory they're both x86 Sol10...it should work...in theory.

So, I tried building the package on the SunFire, thinking that maybe there was something different (libraries, patch levels, etc..) between the systems that I wasn't taking into account. However, it didn't matter where I built the package...it would still SegFault.

Now, I looked at the pstack, flags, and even did a backtrace using adb against the core file to see if it was anything obvious. It wasn't. So, at this point I had to put it out to the Snort community.

I was contacted by Russ one of the developers at SourceFire who was able to spot and fix the issue rather quickly. Here's the response:

Looks like you are getting burned by some faulty alignment foo.  Try forcing SPARC_TWIDDLE to zero in decode.h and recompiling.  It should look like this (zero in both cases):

#if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
#define SPARC_TWIDDLE       0
#else
#define SPARC_TWIDDLE       0
#endif

Let me know if this fixes the problems for you.

So, I edited decode.h and changed the first value (SPARC_TWIDDLE was set to 2 ) to 0.

Then I did:

• make clean
• make
• make install

That's it, that fixed it! Thanks to Russ at SourceFire for the fix!  I love Solaris and I love Snort...so I am slap happy that I can keep running the two together.

Snort 2.9.1.2 on Solaris 10_x86

The Snort 2.9.0.5 package I built worked fine on my x86 VM, but would segfault when installed on SunFire 4400:

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.9.0.5 (Build 135)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15

Preprocessor Object: SF_SDF Version 1.1
Preprocessor Object: SF_DCERPC2 Version 1.0
Preprocessor Object: SF_SSLPP Version 1.1
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_FTPTELNET Version 1.2
Commencing packet processing (pid=14777)
Segmentation Fault (core dumped)

# pstack core_prodids01_snort_0_0_1321551044_14777
core 'core_prodids01_snort_0_0_1321551044_14777' of 14777: ../bin/
snort -c snort.conf
----------------- lwp# 1 / thread# 1 --------------------
080deeb7 TcpSessionCleanup (e1f7078, 1f90, 90dc, 0) + 41b
080e92ce DeleteLWSession (9437400, e1f7078, 81234dc, 9eafcf0,
8046e98, ac6301a) + de
080e445b ???????? (8046fa0, 9eafcf0, 0, 8046ff0)
080e6620 Stream5ProcessTcp (80470d0, e1f7078, 9eafcf0, 8046ff0) + 194
080cf75b ???????? (80470d0, 0, 80f052f, 808dd13)
0808df7b Preprocess (80470d0, ffffffff, 1a24c60a, 1d04c60a, 80470e8,
80a6785) + 5cf
080842f7 ProcessPacket (0, 80479b0, e1457b2, 0, d4, feffb818) + 203
080874a8 ???????? (0, 80479b0, e1457b2, 8047a84)
080fda31 ???????? (df2ac70, 8047a10, e1457b2, 3c, 8047a00, fefd176f)
fed847e1 pcap_process_pkts (df29b08, 80fd9d8, df2ac70, ffff3da1,
e13bb0a, ff78) + ad
fed7424e pcap_read_dlpi (df29b08, ffff3da1, 80fd9d8, df2ac70) + a2
fed75a81 pcap_dispatch (df29b08, ffff3da1, 80fd9d8, df2ac70) + 19
080fda93 ???????? (df2ac70, ffffffff, 80872f8, 0, 0, feffdd58)
0809d199 DAQ_Acquire (ffffffff, 80872f8, 0, 0) + 21
0808845c SnortMain (3, 8047cd0, 8139964, 8139a44, 0, 80fecde) + 798
08088dd8 main (3, 8047cd0, 8047ce0) + 24
08066184 _start (3, 8047d9c, 8047da9, 8047dac, 0, 8047db7) + 80
----------------- lwp# 2 / thread# 2 --------------------
fece99d7 ___nanosleep (1, 0, 0, 0) + 7
080890ab ???????? (0)
fece7390 _thr_setup (fe850200) + 4e
fece7680 _lwp_start (fe850200, 0, 0, fe95eff8, fece7680, fe850200)

I posted this on the Snort discussion group, and the feedback was "interesting...try 2.9.1.2?" Which wouldn't have been an issue, if I could make any progress on compiling 2.9.1.2 on Solaris:

gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I../../src/output-plugins -I../../src/detection-plugins -
I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/portscan -I ../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I../../src/target-based -I../../src/
control -I/usr/local/OAMsnort/include -I/usr/local/OAMsnort/include -DDYNAMIC_PLUGIN -I/usr/local/OAMsnort/include -DZLIB -DGRE -DMPLS -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR -DSOURCEFIRE -DPERF_PROFILING -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR -DENABLE_PAF -DENABLE_REACT -DENABLE_RESPOND -DENABLE_RESPONSE3 -
DBSD_COMP -D_REENTRANT -DSF_WCHAR -DSUP_IP6 -DTARGET_BASED -DPERF_PROFILING -DPERF_PROFILING -DSNORT_RELOAD -DNORMALIZER -DACTIVE_RESPONSE -g -O2 -Wall -c ipobj.c
In file included from ../../src/ipv6_port.h:29,
from ipobj.h:44,
from ipobj.c:51:

./sf_ip.h:77: error: syntax error before "u_int8_t"

I was pretty sure this was related to the uint8_t and uint16_t definitions....but because I am not all that proficient at programming, and couldn't figure out where to fix it. Luckily for me I got a response from the group:

See where it says "from ipobj.c:51:" below, if you add #include "sf_types.h" on the line before that, you should get that file to compile. There may be others with the same problem and you will have to fix them similarly. - RCombs @ Source Fire

Yup, that make sense...I need to include the sf_types.h before any of the offending integer types are used. sf_types.h will properly define them.

So, now it just a matter of putting this in all of the offending files...which was a fun exercise in:

# make > ../logfile 2>&1

# more logfile

# vi src/snort.c

Repeat the above processes editing each file that it fails on. In the end you will have edited the following 89 files (file name: Line #):

• ipobj.c:51
• sf_ip.c:40
• sf_vartable.c:35
• sf_iph.c:28
• sfPolicy.c:28
• sfPolicyUserData.c:27
• spo_alert_syslog.c:60
• spo_log_null.c:49
• spo_log_tcpdump.c:62
• spo_unified.c:57
• spo_unified2.c:42
• sp_hdr_opt_wrap.c:28:
• sp_react.c:62:
• sf_snort_plugin_hdropts.c:34:
• sf_snort_detection_engine.c:40
• sf_snort_plugin_api.c:33:
• sf_snort_plugin_byte.c:36:
• sf_snort_plugin_content.c:37
• sf_snort_plugin_hdropts.c:34
• sf_snort_plugin_loop.c:34:
• sf_snort_plugin_pcre.c:36:
• sf_snort_plugin_rc4.c:34
• sf_decompression.c:43
• sf_dynamic_plugins.c:64:
• sf_convert_dynamic.c:29:
• hi_paf.c:69:
• snort_stream5_udp.c:27:
• snort_stream5_icmp.c:27:
• snort_stream5_session.c:42:
• stream5_common.c:27:
• spp_rpc_decode.c:58:
• stream_ignore.c:53:
• spp_httpinspect.c:51:
• portscan.c:114:
• spp_sfportscan.c:56:
• stream_api.c:41:
• spp_normalize.c:26:
• normalize.c:36:
• ssl.c:33:
• sf_dynamic_preproc_lib.c:33:
• mempool.c:42:
• sf_email_attach_decode.c:26
• ftp_bounce_lookup.c:46
• ftp_cmd_lookup.c:46:
• ftpp_eo_log.c:51:
• ftpp_si.c:54:
• ftpp_ui_client_lookup.c:46:
• ftpp_ui_config.c:49:
• ftpp_ui_server_lookup.c:44:
• pp_ftp.c:59:
• pp_telnet.c:55:
• snort_ftptelnet.c:64:
• spp_ftptelnet.c:56:
• pop_config.c:47:
• pop_log.c:47:
• spp_pop.c:52:
• imap_config.c:47:
• imap_log.c:47:
• spp_imap.c:52:
• smtp_config.c:48:
• smtp_log.c:47:
• smtp_normalize.c:41:
• smtp_xlink2state.c:50:
• spp_smtp.c:52:
• spp_ssh.c:41:
• spp_dns.c:42:
• spp_ssl.c:31:
• dce2_debug.c:39:
• snort_dce2.c:28:
• spp_sdf.c:42:
• sdf_pattern_match.c:28:
• sdf_credit_card.c:25:
• sdf_us_ssn.c:25:
• sdf_detection_option.c:29:
• spp_sip.c:37:
• sip_config.c:30:
• sip_parser.c:32
• sip_dialog.c:29
• sip_utils.c:28
• reputation_config.c:32
• reputation_utils.c:28
• sftarget_protocol_reference.c:31
• decode.c:40
• encode.c:37
• active.c:36:
• snort.c:86
• tag.c:35:
• pcrm.c:207:
• obfuscation.c:27:

However, in the end I had the latest version of Snort compiled and running on my Solaris 10_x86 dev system:

--== Initializing Snort ==--

Initializing Output Plugins!

pcap DAQ configured to passive.

Acquiring network traffic from "e1000g0".

Decoding Ethernet

--== Initialization Complete ==--

,,_ -*> Snort! <*-

o" )~ Version 2.9.1.2 IPv6 GRE (Build 84)

'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team

Copyright (C) 1998-2011 Sourcefire, Inc., et al.

Using libpcap version 1.1.1

Using PCRE version: 8.12 2011-01-15

Using ZLIB version: 1.2.3

Commencing packet processing (pid=28106)

Now, I just need to package this all into a nice neat Solaris package and install it on the production servers. When I get a chance I will also zip up the Snort source code that I edited and post it here for any other Solaris users that are having issues.

Custom Snort 2.9 package for Solaris 10 x86

So...for the past week I've been spending most of my time trying to build a custom Snort 2.9 package for our Solaris customers. Nothing special about the package, other than the fact that it will be self contained to include all dependencies (libpcap, libdnet, pcre, etc..).

Its just an easy way to install and manage Snort without worrying about impacting other applications on the system.

I am using the gcc and gmake that come with Solaris 10 in /usr/sfw so I had to add the following to my path:

setenv PATH ${PATH}:/usr/sfw/bin:/usr/sfw/sbin:/usr/ccs/bin

Since I am plan on building a package I also wanted to have a build directory that will only contain the files I will be packaging.

mount -F lofs /export/home/build /usr/local

I then proceeded to build and install the pre-requisite libraries libdnet, libpcap, and pcre:

# configure --prefix=/usr/local/AVGsnort

# gmake

# gmake install

I didn't have any issues building or installing the libraries. Now was the time to start building the snort binaries. First up was DAQ 5.0...and I had issues right out of the gate:

checking for libpcap version >= “1.0.0″… no
ERROR! Libpcap library version >= 1.0.0 not found.

Get it from http://www.tcpdump.org

At first this seems straightforward, simply point the configure script to the location of libpcap. From the configure help:

--with-libpcap-includes=DIR libpcap include directory

--with-libpcap-libraries=DIR libpcap library directory

That's obvious enough:

# configure --prefix=/usr/local/AVGsnort --with-libpcap-includes=/usr/local/AVGsnort/include -with-libpcap-libraries=/usr/local/AVGsnort/lib

Still failed....at which point I spotted this little nugget:

ld.so.1: conftest: fatal: libpcap.so.1: open failed: No such file or directory

I pulled the conftest.c code out of the config.log, this is the program that configure builds and runs to test the version of libpcap. I figured I could narrow this down a bit more if I could figure out why that section of code was failing.

# gcc -o conftest -g -O2 -std=c99 -D_GNU_SOURCE -I/usr/local/AVGsnort/include/ -L/usr/local/AVGsnort/lib conftest.c -lpcap

#

Interestingly there were no issues building the code...however when I ran it:

# ./conftest

ld.so.1: conftest: fatal: libpcap.so.1: open failed: No such file or directory

Killed

Huh?!?!?! The issue is appears to be that conftest does not know where the libraries are, so when it fails to find pcap. Despite the fact that it is designated with the -L and -I flags when built.

To resolve this I simply had to adjust my library path. This can be done two ways:

# setenv LD_LIBRARY_PATH /lib:/usr/lib:/usr/local/AVGsnort/lib

or

# crle -l /usr/local/AVGsnort/lib

Either way will ensure that conftest succeeds when run. That should get you through the configure. However, during the make I ran into the following error:

sll.h:87: error: syntax error before "u_int16_t"

sll.h:87: warning: no semicolon at end of struct or union

The issue here is the fact that Solaris uses uint16_t instead of u_int16_t. To get around this I just added a typdef to map for the two u_int types:

typedef uint8_t u_int8_t;

typedef uint16_t u_int16_t;

Still working on the build....will update with other findings as they pop-up

UPDATE

decode.c: In function `DecodePflog':
decode.c:1928: warning: long unsigned int format, unsigned int arg (arg 3)
decode.c: In function `DecodeIP':
decode.c:3118: error: `IPPROTO_GRE' undeclared (first use in this function)
decode.c:3118: error: (Each undeclared identifier is reported only once
decode.c:3118: error: for each function it appears in.)

The first issue at line 1928 can be solved by changing the code as follows:# diff decode.c.orig decode.c

1928c1928
< "(%d < %lu)\n", cap_len, PFLOG2_HDRMIN);
---
> "(%d < %u)\n", cap_len, PFLOG2_HDRMIN);

The issue appears to be from the printf error message, which was set to have a decimal integer (%d) which it got from cap_len and a long unsigned (%lu) integer which was from PFLOG2_HDRMIN. However, it appears the PFLOG_HDRMIN is returning just an unsigned integer (%u) and not a long unsigned (%lu).

The next one is a bit trickier...and I can find my "Programming C" book to assist me. (As programming really isn't something I do often).

Well, I've found a workaround. The code is expecting GRE to be defined:

#ifdef GRE
if (p->greh != NULL)
pc.gre_ip++;
#endif

However, it apparently isn't. So I could either try to find some GRE code and add an #else section to the #ifdef above OR I could enable GRE when I complile and see if that adds the code I need without me having to muck about any more than usual.

# gmake distclean
# ./configure --prefix=/usr/local/AVGsnort --enable-gre
# gmake

What do you know it works:

# ./snort
Running in packet dump mode

--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "e1000g0".
Decoding Ethernet

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.9.0.4 GRE (Build 111)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15

Commencing packet processing (pid=863)
03/29-11:38:14.606885 ARP who-has 10.0.2.15 (FF:FF:FF:FF:FF:FF) tell 10.0.2.15

Now I simply follow the steps posted by the fine people that run sunfreeware.com to create a package