[prelude-user] snort-prelude and OpenBSD

Gregory Podgorodesky dyadko999 at gmail.com
Wed Sep 3 08:39:23 CEST 2008 

without prelude support it works fine.
i've created 2 vmware environments:
1 OpenBSD 4.3 with default packages snort and prelude.
without prelude support it works and with it don't.
2 OpenBSD 4.3 with snort and prelude compiled from sources
here i compiled 2 snort binary files - with prelude support and without.
when i run snort without prelude support,in  /var/log/messages at the end i
see:
Sep  3 01:31:00 foo snort[26685]: Initializing daemon mode
Sep  3 01:31:01 foo snort[1057]: PID path stat checked out ok, PID path set
to /var/run/
Sep  3 01:31:01 foo snort[1057]: Writing PID "1057" to file
"/var/run//snort_vic0.pid"
Sep  3 01:31:01 foo snort[1057]: Daemon initialized, signaled parent pid:
26685
*Sep  3 01:31:01 foo snort[26685]: Daemon parent exiting *
Sep  3 01:31:28 foo snort[1057]:  [ Port Based Pattern Matching Memory ]
Sep  3 01:31:28 foo snort[1057]: +-[AC-BNFA Search Info
Summary]------------------------------
Sep  3 01:31:28 foo snort[1057]: | Instances        : 768
Sep  3 01:31:28 foo snort[1057]: | Patterns         : 134749
Sep  3 01:31:28 foo snort[1057]: | Pattern Chars    : 1346965
Sep  3 01:31:28 foo snort[1057]: | Num States       : 989476
Sep  3 01:31:28 foo snort[1057]: | Num Match States : 154757
Sep  3 01:31:28 foo snort[1057]: | Memory           :   22.45Mbytes
Sep  3 01:31:28 foo snort[1057]: |   Patterns       :   3.85M
Sep  3 01:31:28 foo snort[1057]: |   Match Lists    :   6.47M
Sep  3 01:31:28 foo snort[1057]: |   Transitions    :   11.96M
Sep  3 01:31:28 foo snort[1057]:
+-------------------------------------------------
Sep  3 01:31:28 foo snort[1057]: Snort initialization completed successfully
(pid=1057)
Sep  3 01:31:28 foo snort[1057]: Not Using PCAP_FRAMES

and i see only one process of snort with pid=1057 that runs in daemon mode.

When i run snort with prelude support in /var/log/messages i see:

Sep  3 01:42:30 foo snort[1437]: Initializing daemon mode
Sep  3 01:42:30 foo snort[28483]: PID path stat checked out ok, PID path set
to /var/run/
Sep  3 01:42:30 foo snort[28483]: Writing PID "28483" to file
"/var/run//snort_vic0.pid"
Sep  3 01:42:30 foo snort[28483]: Daemon initialized, signaled parent pid:
1437
Sep  3 01:42:31 foo prelude-manager: INFO: [127.0.0.1:2695 0x9cd4c48bda5ff
idmef:w admin:r]: TLS authentication succeed: client certificate is trusted.

Sep  3 01:42:41 foo snort[28483]:  [ Port Based Pattern Matching Memory ]
Sep  3 01:42:41 foo snort[28483]: +-[AC-BNFA Search Info
Summary]------------------------------
Sep  3 01:42:41 foo snort[28483]: | Instances        : 768
Sep  3 01:42:41 foo snort[28483]: | Patterns         : 134749
Sep  3 01:42:41 foo snort[28483]: | Pattern Chars    : 1346965
Sep  3 01:42:41 foo snort[28483]: | Num States       : 989476
Sep  3 01:42:41 foo snort[28483]: | Num Match States : 154757
Sep  3 01:42:41 foo snort[28483]: | Memory           :   22.45Mbytes
Sep  3 01:42:41 foo snort[28483]: |   Patterns       :   3.85M
Sep  3 01:42:41 foo snort[28483]: |   Match Lists    :   6.47M
Sep  3 01:42:41 foo snort[28483]: |   Transitions    :   11.96M
Sep  3 01:42:41 foo snort[28483]:
+-------------------------------------------------
Sep  3 01:42:41 foo snort[28483]: Snort initialization completed
successfully (pid=28483)
Sep  3 01:42:41 foo snort[28483]: Not Using PCAP_FRAMES

here i don't see that daemon parent exiting and in terminal where i run
snort i see a message:
0x7c7b8800 sleep_wait  15 -c---W---f 0000 main
here snort does'nt enter in to daemon mode.in another terminal i run ps -aux
i see two snort processes
one with pid=1437 and second with 28483.
i can manualy kill parent snort process and then snort detaches from the
first terminal.


On Tue, Sep 2, 2008 at 6:00 PM, Yoann Vandoorselaere <
yoann.v at prelude-ids.com> wrote:

> Hi Gregory,
>
> Le jeudi 28 août 2008 à 23:15 +0300, Gregory Podgorodesky a écrit :
> > Does anybody have configured snort-prelude and connected it to prelude
> > manager on OpenBSD ?
> > I've complied and installed  the latest version of libprelude and
> > prelude-manager on OpenBSD 4.3
> > also I've compiled installed snort 2.8.2 on the same machine.I succeed to
> > register snort and all looks well,
> > but when i am trying to run snort in daemon mode:
> > snort -c /etc/snort/snort.conf  -l /var/snort/log -D
> > i am getting  a strange message:
> > 0x8a3b0000 sleep_wait  15 -c---W---f 0000 main
> > and snort process doesn't enter in daemon mode - it simply stalls on this
> > message.
> > I tried to use OpenBSD outdated prelude packages and have got the same
> > issue.
>
> Could you please compile Snort without Prelude support to see if you can
> reproduce this problem? Make sure you use the same tarball that get you
> the crash with Prelude support.
>
> Regards,
>
> --
> Yoann Vandoorselaere | Responsable R&D / CTO | PreludeIDS Technologies
> Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78 42 21 58
> http://www.prelude-ids.com
>
>

More information about the Prelude-user mailing list