Monday, November 21, 2011

Snort 2.9.1.2 on Solaris 10_x86

The Snort 2.9.0.5 package I built worked fine on my x86 VM, but would segfault when installed on SunFire 4400:

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.9.0.5 (Build 135)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15

Preprocessor Object: SF_SDF Version 1.1
Preprocessor Object: SF_DCERPC2 Version 1.0
Preprocessor Object: SF_SSLPP Version 1.1
Preprocessor Object: SF_DNS Version 1.1
Preprocessor Object: SF_SSH Version 1.1
Preprocessor Object: SF_SMTP Version 1.1
Preprocessor Object: SF_FTPTELNET Version 1.2
Commencing packet processing (pid=14777)
Segmentation Fault (core dumped)

# pstack core_prodids01_snort_0_0_1321551044_14777
core 'core_prodids01_snort_0_0_1321551044_14777' of 14777: ../bin/
snort -c snort.conf
----------------- lwp# 1 / thread# 1 --------------------
080deeb7 TcpSessionCleanup (e1f7078, 1f90, 90dc, 0) + 41b
080e92ce DeleteLWSession (9437400, e1f7078, 81234dc, 9eafcf0,
8046e98, ac6301a) + de
080e445b ???????? (8046fa0, 9eafcf0, 0, 8046ff0)
080e6620 Stream5ProcessTcp (80470d0, e1f7078, 9eafcf0, 8046ff0) + 194
080cf75b ???????? (80470d0, 0, 80f052f, 808dd13)
0808df7b Preprocess (80470d0, ffffffff, 1a24c60a, 1d04c60a, 80470e8,
80a6785) + 5cf
080842f7 ProcessPacket (0, 80479b0, e1457b2, 0, d4, feffb818) + 203
080874a8 ???????? (0, 80479b0, e1457b2, 8047a84)
080fda31 ???????? (df2ac70, 8047a10, e1457b2, 3c, 8047a00, fefd176f)
fed847e1 pcap_process_pkts (df29b08, 80fd9d8, df2ac70, ffff3da1,
e13bb0a, ff78) + ad
fed7424e pcap_read_dlpi (df29b08, ffff3da1, 80fd9d8, df2ac70) + a2
fed75a81 pcap_dispatch (df29b08, ffff3da1, 80fd9d8, df2ac70) + 19
080fda93 ???????? (df2ac70, ffffffff, 80872f8, 0, 0, feffdd58)
0809d199 DAQ_Acquire (ffffffff, 80872f8, 0, 0) + 21
0808845c SnortMain (3, 8047cd0, 8139964, 8139a44, 0, 80fecde) + 798
08088dd8 main (3, 8047cd0, 8047ce0) + 24
08066184 _start (3, 8047d9c, 8047da9, 8047dac, 0, 8047db7) + 80
----------------- lwp# 2 / thread# 2 --------------------
fece99d7 ___nanosleep (1, 0, 0, 0) + 7
080890ab ???????? (0)
fece7390 _thr_setup (fe850200) + 4e
fece7680 _lwp_start (fe850200, 0, 0, fe95eff8, fece7680, fe850200)

I posted this on the Snort discussion group, and the feedback was "interesting...try 2.9.1.2?" Which wouldn't have been an issue, if I could make any progress on compiling 2.9.1.2 on Solaris:

gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I../../src/output-plugins -I../../src/detection-plugins -
I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/portscan -I ../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I../../src/target-based -I../../src/
control -I/usr/local/OAMsnort/include -I/usr/local/OAMsnort/include -DDYNAMIC_PLUGIN -I/usr/local/OAMsnort/include -DZLIB -DGRE -DMPLS -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR -DSOURCEFIRE -DPERF_PROFILING -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR -DENABLE_PAF -DENABLE_REACT -DENABLE_RESPOND -DENABLE_RESPONSE3 -
DBSD_COMP -D_REENTRANT -DSF_WCHAR -DSUP_IP6 -DTARGET_BASED -DPERF_PROFILING -DPERF_PROFILING -DSNORT_RELOAD -DNORMALIZER -DACTIVE_RESPONSE -g -O2 -Wall -c ipobj.c
In file included from ../../src/ipv6_port.h:29,
from ipobj.h:44,
from ipobj.c:51:
./sf_ip.h:77: error: syntax error before "u_int8_t"
I was pretty sure this was related to the uint8_t and uint16_t definitions....but because I am not all that proficient at programming, and couldn't figure out where to fix it. Luckily for me I got a response from the group:

See where it says "from ipobj.c:51:" below, if you add #include "sf_types.h" on the line before that, you should get that file to compile. There may be others with the same problem and you will have to fix them similarly. - RCombs @ Source Fire
Yup, that make sense...I need to include the sf_types.h before any of the offending integer types are used. sf_types.h will properly define them.

So, now it just a matter of putting this in all of the offending files...which was a fun exercise in:

# make > ../logfile 2>&1
# more logfile
# vi src/snort.c
Repeat the above processes editing each file that it fails on. In the end you will have edited the following 89 files (file name: Line #):

  • ipobj.c:51
  • sf_ip.c:40
  • sf_vartable.c:35
  • sf_iph.c:28
  • sfPolicy.c:28
  • sfPolicyUserData.c:27
  • spo_alert_syslog.c:60
  • spo_log_null.c:49
  • spo_log_tcpdump.c:62
  • spo_unified.c:57
  • spo_unified2.c:42
  • sp_hdr_opt_wrap.c:28:
  • sp_react.c:62:
  • sf_snort_plugin_hdropts.c:34:
  • sf_snort_detection_engine.c:40
  • sf_snort_plugin_api.c:33:
  • sf_snort_plugin_byte.c:36:
  • sf_snort_plugin_content.c:37
  • sf_snort_plugin_hdropts.c:34
  • sf_snort_plugin_loop.c:34:
  • sf_snort_plugin_pcre.c:36:
  • sf_snort_plugin_rc4.c:34
  • sf_decompression.c:43
  • sf_dynamic_plugins.c:64:
  • sf_convert_dynamic.c:29:
  • hi_paf.c:69:
  • snort_stream5_udp.c:27:
  • snort_stream5_icmp.c:27:
  • snort_stream5_session.c:42:
  • stream5_common.c:27:
  • spp_rpc_decode.c:58:
  • stream_ignore.c:53:
  • spp_httpinspect.c:51:
  • portscan.c:114:
  • spp_sfportscan.c:56:
  • stream_api.c:41:
  • spp_normalize.c:26:
  • normalize.c:36:
  • ssl.c:33:
  • sf_dynamic_preproc_lib.c:33:
  • mempool.c:42:
  • sf_email_attach_decode.c:26
  • ftp_bounce_lookup.c:46
  • ftp_cmd_lookup.c:46:
  • ftpp_eo_log.c:51:
  • ftpp_si.c:54:
  • ftpp_ui_client_lookup.c:46:
  • ftpp_ui_config.c:49:
  • ftpp_ui_server_lookup.c:44:
  • pp_ftp.c:59:
  • pp_telnet.c:55:
  • snort_ftptelnet.c:64:
  • spp_ftptelnet.c:56:
  • pop_config.c:47:
  • pop_log.c:47:
  • spp_pop.c:52:
  • imap_config.c:47:
  • imap_log.c:47:
  • spp_imap.c:52:
  • smtp_config.c:48:
  • smtp_log.c:47:
  • smtp_normalize.c:41:
  • smtp_xlink2state.c:50:
  • spp_smtp.c:52:
  • spp_ssh.c:41:
  • spp_dns.c:42:
  • spp_ssl.c:31:
  • dce2_debug.c:39:
  • snort_dce2.c:28:
  • spp_sdf.c:42:
  • sdf_pattern_match.c:28:
  • sdf_credit_card.c:25:
  • sdf_us_ssn.c:25:
  • sdf_detection_option.c:29:
  • spp_sip.c:37:
  • sip_config.c:30:
  • sip_parser.c:32
  • sip_dialog.c:29
  • sip_utils.c:28
  • reputation_config.c:32
  • reputation_utils.c:28
  • sftarget_protocol_reference.c:31
  • decode.c:40
  • encode.c:37
  • active.c:36:
  • snort.c:86
  • tag.c:35:
  • pcrm.c:207:
  • obfuscation.c:27:

However, in the end I had the latest version of Snort compiled and running on my Solaris 10_x86 dev system:

--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "e1000g0".
Decoding Ethernet

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.9.1.2 IPv6 GRE (Build 84)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2011 Sourcefire, Inc., et al.
Using libpcap version 1.1.1
Using PCRE version: 8.12 2011-01-15
Using ZLIB version: 1.2.3

Commencing packet processing (pid=28106)

Now, I just need to package this all into a nice neat Solaris package and install it on the production servers. When I get a chance I will also zip up the Snort source code that I edited and post it here for any other Solaris users that are having issues.