the comunication between snot and snortsum doesn't works on a amd64 gentoo problably dued to the fact of a mismatch implementation of the TWO_FISH algorytm Everything works fine in a 32bit environment snort is logging INFO => [Alert_FWsam](FWsamCheckIn) Connected to host 127.0.0.1. ERROR => [Alert_FWsam](FWsamCheckIn) Password mismatch! Ignoring host 127.0.0.1. snortsam is logging 2007/10/19, 14:49:24, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1. 2007/10/19, 14:49:24, 127.0.0.1, 3, snortsam, Adding sensor 127.0.0.1 to list. 2007/10/19, 14:49:24, 127.0.0.1, 3, snortsam, Had to use initial key! 2007/10/19, 14:49:24, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. Reproducible: Always Actual Results: I've tried to isolate the bug to see if it is on snort instead of snortsam. The problems seems to be on both thos are my tests - gentoo 32bit snortsam+snort on same machine works great - gentoo 64bit snortsam+snort on same machine doesn't work - snortsam on 32bit machine snort on 64bit machine doesn't work - snortsam on 64bit machine snort on 32bit machine doesn't work the strange thing tha on /usr/portage/net-analyzer/snortsam/ChangeLog is written 23 Sep 2007; Wulf C. Krueger <philantrop@gentoo.org> snortsam-2.50-r1.ebuild: Marked stable on amd64 as per bug 191519. snort.conf config involved in snortsam -------------------------------------- output alert_fwsam: localhost:898/xxxxxxx snortsam.conf -------------- defaultkey xxxxxxxx accept localhost fwsam localhost keyinterval 30 minutes dontblock xxx.xxx.xxx.xxx # home network rollbackhosts 50 rollbackthreshold 20 / 30 secs rollbacksleeptime 1 minute logfile /var/log/snortsam.log loglevel 4 daemon #nothreads email localhost alert@machinemain iptables eth0 LOG package in system ----------------- emerge -pv snort snortsam These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] net-analyzer/snort-2.6.1.4 USE="dynamicplugin flexresp2 linux-smp-stats mysql snortsam timestats -flexresp -gre -inline -odbc -perfprofiling -postgres -prelude -react (-selinux) -sguil" 0 kB [ebuild R ] net-analyzer/snortsam-2.50-r1 0 kB
If you serach for this things on internet you will find this post <<Snortsam and Snort will only ignore the peer if they can not renegotiate a new session key using the default password, meaning, the default passwords don't match up. The only time I've seen that error constantly, despite both passwords being correct, is when Snort or Snortsam runs on a 64 bit system. The TwoFish encryption routines in Snortsam are built for 32 bit systems only, and are not fit for 64 bit systems. So, question to you: Is your system 64 bit?>> same things you can get tieing to using the stable version of snort net-analyzer/snort-2.6.1.3-r1
emerge --info and ebuild version please.
-rw-r--r-- 1 root root 6001 Apr 22 2007 /usr/portage/net-analyzer/snort/snort-2.6.1.4.ebuild -rw-r--r-- 1 root root 1364 Oct 12 03:06 /usr/portage/net-analyzer/snortsam/snortsam-2.50-r1.ebuild emerge -pv snort snortsam These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] net-analyzer/snort-2.6.1.4 USE="dynamicplugin flexresp2 gre linux-smp-stats mysql prelude react snortsam timestats -flexresp -inline -odbc -perfprofiling -postgres (-selinux) -sguil" 0 kB [ebuild R ] net-analyzer/snortsam-2.50-r1 0 kB emerge --info Portage 2.1.3.9 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23 x86_64) ================================================================= System uname: 2.6.23 x86_64 Intel(R) Pentium(R) D CPU 3.40GHz Timestamp of tree: Wed, 24 Oct 2007 07:50:01 +0000 app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r5 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=nocona -O3 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=nocona -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://mirror.switch.ch/ftp/mirror/gentoo/ " MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/xeffects" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X acl alsa amd64 arts berkdb bitmap-fonts cdr cli cracklib crypt cups dbus dri dvd fortran gdbm gpm gtk iconv ipv6 isdnlog jpeg kde midi mmx mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python qt3 qt4 readline reflection session spl sse sse2 ssl tcpd tiff truetype-fonts type1-fonts unicode xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fglrx" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
uname -a Linux bigbang 2.6.23 #2 SMP Wed Oct 17 12:46:17 CEST 2007 x86_64 Intel(R) Pentium(R) D CPU 3.40GHz GenuineIntel GNU/Linux
does snort + snortsam works on a 64bit gentoo?
@netmon team: Please advise, should we remove the amd64 keyword?
How about 2.70? :)
Re-add amd64 if is needed.
Hi, what is happening with this issue? I have emerged snortsam-2.50-r1 and snort-2.9.2.2, then setup the same passwords in snort.conf and snortsam.conf, but I am getting: 2013/02/24, 14:12:49, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. Below my emerge --info Portage 2.1.11.50 (hardened/linux/amd64/no-multilib/selinux, gcc-4.6.3, glibc-2.15-r3, 3.7.5-hardened x86_64) ================================================================= System uname: Linux-3.7.5-hardened-x86_64-Intel-R-_Core-TM-_i3-3220_CPU_@_3.30GHz-with-gentoo-2.1 KiB Mem: 8136544 total, 1770712 free KiB Swap: 15626232 total, 15626232 free Timestamp of tree: Mon, 18 Feb 2013 00:45:01 +0000 ld GNU ld (GNU Binutils) 2.22 app-shells/bash: 4.2_p37 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.3-r2, 3.2.3 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.9.6-r3, 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.3 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.6 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo overlay-gcpan-worldofconferences-com overlay-own-worldofconferences-com ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS=" -Wall -O2 -march=core2 -mtune=corei7 -mmmx -msse -msse2 -mssse3 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/boot /etc /usr/lib64/tomoyo/conf /usr/local/etc /usr/own/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/chroot" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d/binutils /etc/env.d/gcc /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo" CXXFLAGS=" -Wall -O2 -march=core2 -mtune=corei7 -mmmx -msse -msse2 -mssse3 -pipe" DISTDIR="/var/portage/distfiles" EMERGE_DEFAULT_OPTS="--autounmask=y --autounmask-write=n --autounmask-keep-masks=y --ask-enter-invalid --color=y --jobs=2 --load-average=1.5 --misspell-suggestions=n --with-bdeps=y" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs clean-logs collision-protect compress-build-logs compress-index config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync metadata-transfer multilib-strict news notitles parallel-fetch prelink-checksums protect-owned sandbox selinux sesandbox sfperms strict stricter suidctl unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS=" http://tux.rainside.sk/gentoo/ http://mirror.leaseweb.com/gentoo/ http://gentoo.mneisen.org/ http://ftp.ing.umu.se/linux/gentoo/ http://gentoo.po.opole.pl/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5 -l5" PKGDIR="/var/portage/packages" PORTAGE_COMPRESS="xz" PORTAGE_COMPRESS_FLAGS="-9" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay-gcpan /usr/own/portage" SYNC="" USE="acl acpi amd64 audit bash-completion berkdb bzip2 caps clamav cli cracklib crypt cscope curl curlwrappers cxx dri fam gd gdbm geoip gif gnutls gpm gzip hardened hddtemp iconv icu idn imap ipv6 javascript jpeg jpeg2k justify libwww lm_sensors lzma lzo maildir mailwrapper memlimit mhash mime mmx mmxext modules mudflap ncurses nntp nptl open_perms openmp pam pax_kernel pcre pdf peer_perms perl png posix python readline sasl savedconfig selinux session smp snmp spell sse sse2 ssl ssse2 ssse3 subversion svg symlink syslog szip tcpd threads tiff ubac udev unicode urandom usb vhosts vim-syntax xattr xml zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en pl" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo geoip gzip gzip_static headers_more image_filter limit_conn limit_req map memcached proxy push realip referer rewrite secure_link slowfs_cache scgi split_clients ssi upload upload_progress upstream_ip_hash userid uwsgi" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
(In reply to comment #9) >How about 2.70? Same issue?
Hmmm, strange... I emerged snortsam-2.70 with snort-2.9.2.2 and I still have in log files: snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. On the other hand snortsam is blocking properly, since: snortsam, Blocking host x.x.x.x completely for 900 seconds (Sig_ID: 99999999). And appropriate rule shows up in iptables chain :) FYI both, snort and snortsam are placed on the same machine.
(In reply to comment #11) > Hmmm, strange... I emerged snortsam-2.70 with snort-2.9.2.2 and I still have > in log files: > > snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. > > On the other hand snortsam is blocking properly, since: > > snortsam, Blocking host x.x.x.x completely for 900 seconds (Sig_ID: > 99999999). > > And appropriate rule shows up in iptables chain :) > > FYI both, snort and snortsam are placed on the same machine. This is better, do not you think? :-) But, anyway, it should be reported upstream
Has this been reported upstream?
