Please bump to snort 2.8 (released 25th September). New version contains various bugfixes and speed improvements. Reproducible: Always Also, check ebuild from 2.7 and above since url to download it changed from /dl/current to /dl/old since 2.8 is released. Thanks ! Cheers,
We cannot emerge snort while ebuilds are not checked, so, this bug is blocker. Cheers,
Kindly review http://bugs.gentoo.org/page.cgi?id=fields.html#bug_severity
been playing around on maybe getting a newer version of snort working, and found one thing that will need to be modified on the newer ebuilds. Is that you can not use the version 2.4 rules, as they will not work with the newer versions. The community rules, can easily be switched to current instead of 2.4; and that should work; but the other set of rules, you will have to have the user register to snort to download the free set of rules (don't need the subscription rules).
The upgrade should be done regardless sooner or later even with blank set of rules. Regardless of that - what are the unresolved issues that we need to solve before 2.8 is in portage?
any news on this topic ? *subscribes*
I fully endorse this suggestion. I cannot update my rules via oinkmaster any more because I'll then get rules which break with the ancient version of snort.
But could anybody tell us, what happened with community rules?
2.8.0 stable has been released 2007-09-20 2.8.0.2 stable has been recently released (2008-02-19) Any chance for version bump in portage?
(In reply to comment #8) > 2.8.0 stable has been released 2007-09-20 > 2.8.0.2 stable has been recently released (2008-02-19) > > Any chance for version bump in portage? Have you read my question? Any chance to dig that information? Sorry didn't get to that myself, but things moving slowly...
(In reply to comment #9) > (In reply to comment #8) > > 2.8.0 stable has been released 2007-09-20 > > 2.8.0.2 stable has been recently released (2008-02-19) > > > > Any chance for version bump in portage? > > Have you read my question? Any chance to dig that information? > > Sorry didn't get to that myself, but things moving slowly... > As far as I'm concerned (and I can be 100% wrong here) sourcefire changed their license and as a registered user you can: Thank you for registering for snort.org. An e-mail has been sent to you with your new password. As a registered user you now have access to: * Sourcefire VRT Certified Rules * Snort User Forums * Additional content such as webinars, etc license part for Registered users: 1.6. "Registered User" shall mean an individual who has registered on www.snort.org to use the Registered User VRT Rules without a fee for such use. 1.7. "Registered User VRT Rules" means those VRT Certified Rules that are made generally available to snort.org registered users. 2.2. Registered User VRT Rules License Grant. Subject to the terms and conditions of this Agreement, Sourcefire hereby grants each Registered User a world-wide, non-exclusive license to do any of the following with respect to the Registered User VRT Rules: (a) Download, install, use and deploy the Registered User VRT Rules on Snort® sensors that such Registered User manages (over which such Registered User has administrative control); (b) modify the Registered User VRT Rules and use those Modifications consistent with paragraph 2.1(a) above; (c) distribute the Registered User VRT Rules and any Modifications generally available to Registered Users on a limited basis to other Registered Users; (d) distribute any Improvement generally available to Registered Users on mailing lists commonly used by the Snort® user community as a whole; (e) reproduce the Registered User VRT Rules as strictly necessary in exercising the rights under this Section 2.2; and (f) Make the VRT Certified Rules (or any Modification) available to the Registered User's consultants, agents and subcontractors for the limited purpose of exercising its rights under this Section 2.2 provided that such use is in compliance with this Agreement. Paragraphs (a) though (g) of this Section 2.2 are collectively referred to as the "Registered User Permitted Uses". All rights not granted under this Agreement are reserved by Sourcefire. So 2.8 ebuild might contain: RESTRICT="fetch strip" so people have to manually register and download VRT rules by themselves in order to install snort. What do you think?
any update?
Created attachment 155295 [details] snort 2.8.2 ebuild ebuild taken from ycarus overlay (kudos to them for creating it)
it's actually a snort-2.8.1.ebuild which I modified / renamed
Created attachment 155297 [details] snort-2.8.2-libnet.patch
2.8.2.1 now out So what should I (newbie) do? a. Download the ebuild and libnet.patch above; rename them to 2.8.2.1; change the manifest; and then install after tweaking hashes? or b. d/l and install the source from snort/dll ? Thanks in Advance
Created attachment 164482 [details] multilib-strict patch for amd64 well, i am using snort 2.8.2.2 on my own overlay. for amd64, there are some multilib-strict errors. so i wrote a crap patch about it. it may or may not compile, but i hope this might help someone. ps: I am only using inline mode, so i did not make any testings about other modes.
Created attachment 164483 [details, diff] multilib-strict patch for amd64 well, i am using snort 2.8.2.2 on my own overlay. for amd64, there are some multilib-strict errors. so i wrote a crap patch about it. it may or may not compile, but i hope this might help someone. ps: I am only using inline mode, so i did not make any testings about other modes.
Created attachment 166809 [details] snort 2.8.3 latest ebuild The e-build on this page didn't work for me - it couldn't find the snort-2.8.2.tar.gz file.. I have mangled together (like the fly...) a new e-build from this one and the one at http://gpo.zugaina.org/net-analyzer/snort?62739 This downloads the latest version (at time of writing) - 2.8.3-16 Hope this helps someone - I couldn't believe that the latest version in portage is 2.6 - i.e - what is the point ...... Cheers
My e-build - snort-2.8.3.ebuild - also works with --inline btw. Cheers
Unable to compile without "dynamicplugin" USE flag (off by default) i686-pc-linux-gnu-gcc -O2 -fomit-frame-pointer -pipe -Wall -DDETECTION_OPTION_TREE -DGRE -fno-strict-aliasing -Wl,-O1 -o snort codes.o debug.o decode.o log.o mstring.o parser.o profiler.o plugbase.o snort.o snprintf.o strlcatu.o strlcpyu.o tag.o ubi_BinTree.o ubi_SplayTree.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o inline.o ppm.o log_text.o -L/usr/lib output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a preprocessors/libspp.a preprocessors/flow/portscan/libportscan.a preprocessors/flow/libflow.a parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Stream5/libstream5.a sfutil/libsfutil.a /usr/lib/libpcre.so -lz -lbz2 -lpcap -lm -lnsl detection-plugins/libspd.a(detection_options.o): In function `detection_option_key_compare_func': detection_options.c:(.text+0xafe): undefined reference to `PreprocessorRuleOptionCompare' detection_options.c:(.text+0xcb3): undefined reference to `DynamicRuleCompare' detection-plugins/libspd.a(detection_options.o): In function `detection_option_hash_func': detection_options.c:(.text+0xd68): undefined reference to `PreprocessorRuleOptionHash' detection_options.c:(.text+0xf48): undefined reference to `DynamicRuleHash' collect2: ld returned 1 exit status
*** Bug 239245 has been marked as a duplicate of this bug. ***
bug #245752 should resolve most of these issues
# Markus Ullmann <jokey@gentoo.org> (05 Sept 2007) # masked for testing >=net-analyzer/snort-2.7 There is a snort-2.8.3.1.ebuild in the tree, now let's see what we can do to get it unmasked at last :)
(In reply to comment #23) > # Markus Ullmann <jokey@gentoo.org> (05 Sept 2007) > # masked for testing > >=net-analyzer/snort-2.7 > > There is a snort-2.8.3.1.ebuild in the tree, now let's see what we can do to > get it unmasked at last :) > I have bumped the ebuild to snort-2.8.3.2, seems to work well. Had to apply some patches: one for fixing gcc-4.3.3 compilation (should be applied also to 2.8.3.1), one for fixing RuleHeadFunc call in src/fpdetect.c (don't know if should be applied also to 2.8.3.1). I'm emerging snort on amd64 with: [ebuild R ] net-analyzer/snort-2.8.3.2 USE="community-rules dynamicplugin flexresp2 ipv6 memory-cleanup mysql threads -aruba -debug -decoder-preprocessor-rules -flexresp -gre -inline -inline-init-failopen -linux-smp-stats -mpls -odbc -perfprofiling -postgres -ppm -prelude -react -ruleperf (-selinux) -static -stream4udp -targetbased -timestats" If you see an error like this: In function 'open', inlined from 'server_stats_save' at server_stats.c:349: /usr/include/bits/fcntl2.h:51: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments it' because of gcc-4.3.3 (or just 4.3.x). Adding a third argument with the octal permissions to the "open" function is the solution. I have defaulted to 0644 in my gcc-4.3.3 patch, one may want to use 0600 or 0500 for enhanced security. Follow the attachments.
Created attachment 183981 [details] Snort 2.8.3.2 ebuild
Created attachment 183982 [details, diff] Snort 2.8.3.1 gcc 4.3 patch
Created attachment 183983 [details, diff] Snort 2.8.3.2 RuleHeadFunc patch
(In reply to comment #24) Sorry I should have posted this earlier. Please do not use the snort-2.8.3.2 code base. There are some problems with it that prevent certain combination of USE flags from compiling. I have a bug open with the snort dev's regarding the issue and it is suppose to be resolved in 2.8.4, which is currently in beta. When it is released (should be soon) I'll update the 2.8.3.1 ebuild to 2.8.4. I'd prefer to look at the gcc-43 patch at that time if you don't mind. > (In reply to comment #23) > > # Markus Ullmann <jokey@gentoo.org> (05 Sept 2007) > > # masked for testing > > >=net-analyzer/snort-2.7 > > > > There is a snort-2.8.3.1.ebuild in the tree, now let's see what we can do to > > get it unmasked at last :) > > > > I have bumped the ebuild to snort-2.8.3.2, seems to work well. Had to apply > some patches: one for fixing gcc-4.3.3 compilation (should be applied also to > 2.8.3.1), one for fixing RuleHeadFunc call in src/fpdetect.c (don't know if > should be applied also to 2.8.3.1). I'm emerging snort on amd64 with: > [ebuild R ] net-analyzer/snort-2.8.3.2 USE="community-rules dynamicplugin > flexresp2 ipv6 memory-cleanup mysql threads -aruba -debug > -decoder-preprocessor-rules -flexresp -gre -inline -inline-init-failopen > -linux-smp-stats -mpls -odbc -perfprofiling -postgres -ppm -prelude -react > -ruleperf (-selinux) -static -stream4udp -targetbased -timestats" > > If you see an error like this: > In function 'open', > inlined from 'server_stats_save' at server_stats.c:349: > /usr/include/bits/fcntl2.h:51: error: call to '__open_missing_mode' declared > with attribute error: open with O_CREAT in second argument needs 3 arguments > > it' because of gcc-4.3.3 (or just 4.3.x). Adding a third argument with the > octal permissions to the "open" function is the solution. I have defaulted to > 0644 in my gcc-4.3.3 patch, one may want to use 0600 or 0500 for enhanced > security. > Follow the attachments. >
There is a new ebuild for snort-2.8.4 at the following bug... #266288 This ebuild should solve all of the issues in this bug including the servers.stats issue. Server.stats was part of the flow preprocessor which has been depreciated and removed from snort. Stream5 is it's replacement. We should close this bug.
(In reply to comment #29) > There is a new ebuild for snort-2.8.4 at the following bug... > > #266288 > > This ebuild should solve all of the issues in this bug including the > servers.stats issue. Server.stats was part of the flow preprocessor which has > been depreciated and removed from snort. Stream5 is it's replacement. > > We should close this bug. > bug#266288