[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD3.8/Snort/sparc64 compilation issue



After toying with this a bit more, snort looks to not be stable if
configured without the --enable-64bit-gcc flag.  The process will
usually only run for ~15 minutes in daemon mode before dying.  I will
continue to work with the snort team on this but in the mean time
should the port be updated to be compiled with this flag?

Snort 2.4.3 build 26

Axton

On 1/6/06, Axton <axton_(_dot_)_grams_(_at_)_gmail_(_dot_)_com> wrote:
> There was 1 issue I ran into using snort 2.4.3 if logging to mysql.
> All the timestamp values for the entries in mysql get set to
> 0000-00-00 00:00:00, which is the default value defined for the
> column.  I tracked this down to the format of the insert statement
> being used to log the event to mysql:
>
> INSERT INTO event(sid,cid,signature,timestamp) VALUES
> ('1','164','8','2005-12-23 22:37:16.257698037');
>
> mySql only supports storing date/time information to the precision of
> 1 second. This is attempting to send the time to the precision of
> 1/1000000000 second. When a value is inserted where the precisiion is
> greater than 1/100000 second, the value fails and the default defined
> for the column is used (which in this case is 0000-00-00 00:00:00).
> The insert succeeds, but the event time is not recorded.
>
> I am working with the snort people to fix this problem, and it may
> even be fixed in the snapshot you are using.
>
> Here is a diff of spo_database.c that can be used to correct this problem:
>
> # diff -u -p  /home/agrams/packages/snort-2.4.3/src/output-plugins/spo_database.c
> /home/agrams/packages/snort-2.4.3_mod/src/output-plugins/spo_database.c
> --- /home/xxx/packages/snort-2.4.3/src/output-plugins/spo_database.c
> Fri Sep 23 16:58:10 2005
> +++ /home/xxx/packages/snort-2.4.3_mod/src/output-plugins/spo_database.c
>    Fri Dec 23 23:09:14 2005
> @@ -1005,6 +1005,27 @@ void Database(Packet *p, char *msg, void
>         }
>     }
>  #endif
> +/* Added by Axton Grams on 12/23/2005 to fix the millisecond problem
> + * with mySQL event date/time.
> +*/
> +#ifdef ENABLE_MYSQL
> +    if (data->shared->dbtype_id == DB_MYSQL)
> +    {
> +        /* Oracle (everything before 9i) does not support
> +         * date information smaller than 1 second.
> +         * To go along with the TO_DATE() Oracle function
> +         * below, this was written to strip out all the
> +         * excess information. (everything beyond a second)
> +         * Use the Oracle format of:
> +         *   "1998-01-25 23:59:59"
> +         */
> +        if ( timestamp_string!=NULL && strlen(timestamp_string)>20 )
> +        {
> +            timestamp_string[19] = '\0';
> +        }
> +    }
> +#endif
> +
>  #ifdef ENABLE_ODBC
>     if (data->shared->dbtype_id == DB_ODBC)
>     {
>
> Axton
>
>
> On 1/5/06, Brad <brad_(_at_)_comstyle_(_dot_)_com> wrote:
> > Thanks, the workaround has been commited.
> >
> >
> > On Thu, Jan 05, 2006 at 11:06:13PM -0500, Axton wrote:
> > > The diff provided by Brad resolves the problem.  I was able to
> > > successfully perform an nmap scan against an hme iface without
> > > receiving a bus error.  Tried this with the default rules provided
> > > with the package install; which is where I originally received the bus
> > > error.
> > >
> > > *** From the compiler:
> > > ===>  Installing snort-2.3.3p1 from
> > > /usr/ports/packages/sparc64/all/snort-2.3.3p1.tgz
> > > snort-2.3.3p1: complete
> > > --- snort-2.3.3p1 -------------------
> > > The Snort rule examples have been installed in /usr/local/share/examples/snort
> > >
> > > *** From the snort alert log:
> > > [**] [1:469:4] ICMP PING NMAP [**]
> > > [Classification: Attempted Information Leak] [Priority: 2]
> > > a/b-c:d:e.f g.h.i.j -> k.l.m.n
> > > ICMP TTL:23 TOS:0x0 ID:42353 IpLen:20 DgmLen:28
> > > Type:8  Code:0  ID:25454   Seq:52265  ECHO
> > > [Xref => http://www.whitehats.com/info/IDS162]
> > >
> > > The same should also work for 2.4.3 as well.  I compiled this from
> > > source from snort.org and have been running with the latest rules
> > > without a problem since I first reported this issue.
> > >
> > > Axton
> > >
> > >
> > > On 1/4/06, David Krause <openbsd_(_at_)_davidkrause_(_dot_)_com> wrote:
> > > > Did this resolve the problem?  I'm looking at updating it to 2.4.3 but
> > > > want to see about this first.
> > > >
> > > > David
> > > >
> > > > * Brad <brad_(_at_)_comstyle_(_dot_)_com> [051224 10:41]:
> > > > > The only interesting thing that --enable-64bit-gcc flag does is
> > > > > disable optimization. Can you try the following diff with the
> > > > > snort port and let me know if it now works for you as expected?
> > > > >
> > > > > Index: Makefile
> > > > > ===================================================================
> > > > > RCS file: /cvs/ports/net/snort/Makefile,v
> > > > > retrieving revision 1.37
> > > > > diff -u -p -r1.37 Makefile
> > > > > --- Makefile  4 Nov 2005 16:20:42 -0000       1.37
> > > > > +++ Makefile  24 Dec 2005 16:31:55 -0000
> > > > > @@ -3,7 +3,7 @@
> > > > >  COMMENT=     "highly flexible sniffer/NIDS"
> > > > >
> > > > >  DISTNAME=    snort-2.3.3
> > > > > -PKGNAME=     ${DISTNAME}p0
> > > > > +PKGNAME=     ${DISTNAME}p1
> > > > >  CATEGORIES=  net security
> > > > >  MASTER_SITES=        ${HOMEPAGE}/dl/current/
> > > > >
> > > > > @@ -20,6 +20,10 @@ SEPARATE_BUILD=    concurrent
> > > > >  CONFIGURE_STYLE= gnu
> > > > >
> > > > >  LIB_DEPENDS=     pcre::devel/pcre
> > > > > +
> > > > > +.if ${MACHINE_ARCH} == "sparc64"
> > > > > +CFLAGS=              -O0
> > > > > +.endif
> > > > >
> > > > >  FLAVORS=     postgresql mysql smbalert flexresp
> > > > >  FLAVOR?=
> > > > >
> > > > >
> > > > > On Fri, Dec 23, 2005 at 11:18:49PM -0500, Axton wrote:
> > > > > > Using snort-2.3.3p0.tgz (current) included in the 3.8 packages for
> > > > > > sparc64.  This package is not compiled properly to support a 64-bit
> > > > > > processor.
> > > > > >
> > > > > > With the current configuration options, a bus error is generated and
> > > > > > snort core dumps when a port scan is issued against the host while
> > > > > > snort is running.
> > > > > >
> > > > > > Steps to reproduce:
> > > > > > - Install snort package:
> > > > > > > # pkg_add snort-2.3.3p0.tgz
> > > > > > - Start snort
> > > > > > > # snort -i hme0
> > > > > > - Issue an nmap scan against the host running snort:
> > > > > > > # nmap -sS -sV -v -O -P0 x.x.x.x
> > > > > >
> > > > > > The console will then show "bus error" and snort dies.
> > > > > >
> > > > > > Compiling snort with these options resolves the problem:
> > > > > >
> > > > > > --enable-64bit-gcc \
> > > > > > --with-mysql \
> > > > > > --prefix=/usr/local \
> > > > > > --build=sparc64
> > > > > >
> > > > > >
> > > > > > Relevant System Information:
> > > > > >
> > > > > > # sysctl -n kern.version
> > > > > > OpenBSD 3.8 (GENERIC) #607: Sat Sep 10 16:03:59 MDT 2005
> > > > > >     deraadt_(_at_)_sparc64_(_dot_)_openbsd_(_dot_)_org:/usr/src/sys/arch/sparc64/compile/GENERIC
> > > > > >
> > > > > >
> > > > > > # dmesg
> > > > > > OpenBSD 3.8 (GENERIC) #607: Sat Sep 10 16:03:59 MDT 2005
> > > > > >     deraadt_(_at_)_sparc64_(_dot_)_openbsd_(_dot_)_org:/usr/src/sys/arch/sparc64/compile/GENERIC
> > > > > > total memory = 805306368
> > > > > > avail memory = 723271680
> > > > > > using 4915 buffers containing 40263680 bytes of memory
> > > > > > bootpath: /pci_(_at_)_1f,0/ide_(_at_)_d,0/disk_(_at_)_0,0
> > > > > > mainbus0 (root): Sun Blade 100 (UltraSPARC-IIe)
> > > > > > cpu0 at mainbus0: SUNW,UltraSPARC-IIe @ 502 MHz, version 0 FPU
> > > > > > cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 1024K
> > > > > > external (64 b/l)
> > > > > > psycho0 at mainbus0
> > > > > > pci108e,a001: impl 0, version 0: ign 7c0 bus range 0 to 2; PCI bus 0
> > > > > > DVMA map: c0000000 to e0000000
> > > > > > IOTDB: 3a60000 to 3ae0000
> > > > > > pci0 at psycho0
> > > > > > ebus0 at pci0 dev 12 function 0 "Sun PCIO Ebus2 (US III)" rev 0x01
> > > > > > flashprom at ebus0 addr 0-fffff not configured
> > > > > > clock1 at ebus0 addr 0-1fff: mk48t59: hostid 8304b21d
> > > > > > ebus_attach: idprom: incomplete
> > > > > > gem0 at pci0 dev 12 function 1 "Sun ERI Ether" rev 0x01: ivec 3006,
> > > > > > address 00:03:ba:04:b2:1d
> > > > > > ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface
> > > > > > ukphy0: OUI 0x0010dd, model 0x0002, rev. 1
> > > > > > "Sun FireWire" rev 0x01 at pci0 dev 12 function 2 not configured
> > > > > > ohci0 at pci0 dev 12 function 3 "Sun USB" rev 0x01: ivec 24, version
> > > > > > 1.0, legacy support
> > > > > > usb0 at ohci0: USB revision 1.0
> > > > > > uhub0 at usb0
> > > > > > uhub0: Sun OHCI root hub, rev 1.00/1.00, addr 1
> > > > > > uhub0: 4 ports with 4 removable, self powered
> > > > > > ebus1 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
> > > > > > dma at ebus1 addr 0-ffff ipl 42 not configured
> > > > > > power at ebus1 addr 800-82f ipl 32 not configured
> > > > > > com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo
> > > > > > com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo
> > > > > > "Acer Labs M7101 Power" rev 0x00 at pci0 dev 3 function 0 not configured
> > > > > > autri0 at pci0 dev 8 function 0 "Acer Labs M5451 Audio" rev 0x01: ivec 23
> > > > > > ac97: codec id 0x41445348 (Analog Devices AD1881A)
> > > > > > ac97: codec features headphone, Analog Devices Phat Stereo
> > > > > > audio0 at autri0
> > > > > > midi0 at autri0: <4DWAVE MIDI UART>
> > > > > > pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3:
> > > > > > DMA, channel 0 configured to native-PCI, channel 1 configured to
> > > > > > native-PCI
> > > > > > pciide0: using ivec 180c for native-PCI interrupt
> > > > > > wd0 at pciide0 channel 0 drive 0: <MAXTOR 6L080L4>
> > > > > > wd0: 16-sector PIO, LBA, 76345MB, 156355584 sectors
> > > > > > atapiscsi0 at pciide0 channel 0 drive 1
> > > > > > scsibus0 at atapiscsi0: 2 targets
> > > > > > cd0 at scsibus0 targ 0 lun 0: <LITEON, CD-ROM LTN486S, YSU1> SCSI0
> > > > > > 5/cdrom removable
> > > > > > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> > > > > > cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
> > > > > > pciide0: channel 1 disabled (no drives)
> > > > > > ppb0 at pci0 dev 5 function 0 "DEC 21152 PCI-PCI" rev 0x03
> > > > > > pci1 at ppb0 bus 1
> > > > > > ppb1 at pci1 dev 1 function 0 "DEC 21153 PCI-PCI" rev 0x04
> > > > > > pci2 at ppb1 bus 2
> > > > > > "Sun PCIO Ebus2" rev 0x01 at pci2 dev 0 function 0 not configured
> > > > > > hme0 at pci2 dev 0 function 1 "Sun HME" rev 0x01: address 08:00:20:ca:7d:c4
> > > > > > luphy0 at hme0 phy 1: LU6612 10/100 PHY, rev. 1
> > > > > > hme0: using ivec 301b for interrupt
> > > > > > "Sun PCIO Ebus2" rev 0x01 at pci2 dev 1 function 0 not configured
> > > > > > hme1 at pci2 dev 1 function 1 "Sun HME" rev 0x01: address 08:00:20:ca:7d:c5
> > > > > > luphy1 at hme1 phy 1: LU6612 10/100 PHY, rev. 1
> > > > > > hme1: using ivec 300b for interrupt
> > > > > > "Sun PCIO Ebus2" rev 0x01 at pci2 dev 2 function 0 not configured
> > > > > > hme2 at pci2 dev 2 function 1 "Sun HME" rev 0x01: address 08:00:20:ca:7d:c6
> > > > > > luphy2 at hme2 phy 1: LU6612 10/100 PHY, rev. 1
> > > > > > hme2: using ivec 301a for interrupt
> > > > > > "Sun PCIO Ebus2" rev 0x01 at pci2 dev 3 function 0 not configured
> > > > > > hme3 at pci2 dev 3 function 1 "Sun HME" rev 0x01: address 08:00:20:ca:7d:c7
> > > > > > luphy3 at hme3 phy 1: LU6612 10/100 PHY, rev. 1
> > > > > > hme3: using ivec 300a for interrupt
> > > > > > vgafb0 at pci0 dev 19 function 0 "ATI Rage XL" rev 0x27
> > > > > > wsdisplay0 at vgafb0: console (std, sun emulation)
> > > > > > pcons at mainbus0 not configured
> > > > > > No counter-timer -- using %tick at 502MHz as system clock.
> > > > > > uhidev0 at uhub0 port 4 configuration 1 interface 0
> > > > > > uhidev0: Sun Microsystems Type 6 Keyboard, rev 1.00/1.02, addr 2, iclass 3/1
> > > > > > ukbd0 at uhidev0: 8 modifier keys, 6 key codes
> > > > > > wskbd0 at ukbd0: console keyboard, using wsdisplay0
> > > > > > root on wd0a
> > > > > > rootdev=0xc00 rrootdev=0x1a00 rawdev=0x1a02
> > > > > >
> > > > > >
> > > > > > Axton Grams
> > > > > >
> > > >
> > >
> >
>