Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Want to run Snort on x86_64 (CentOS 4.2/RHEL4)? Think agai

from [Vanja Hrustic] Network Security [Permanent Link]
Subject: [Snort-users] Want to run Snort on x86_64 (CentOS 4.2/RHEL4)? Think again :)
Date: Sun, 20 Nov 2005 17:44:23 +0600 
Or at least tell me I am wrong :)

Basically, after 2 days of struggling with Snort on CentOS 4.2
(x86_64), running on DL360 G4 server (Xeon 3.0GHz, HT enabled, etc), I
realized Snort won't work properly on this system, in 64-bit mode.

Ok, it compiles nice, no errors or warnings. Everything seems to be ok.

However, when it needs to alert - this is where things to ballistic.

Simply, it does not alert on events. Even if you make a very simple
rule, to match only 1 simple string ("AUTH123" in my case), you have
12% of chance that it will get caught. At least this was my experience.

I can see the traffic with "snort -dv port 25", for example, but when I
type string AUTH123 - it mostly doesn't raise any alarms. Then,
sometimes, Snort will show alert (coming from 1 direction only,
although I've enabled rule to catch all directions). You do the same
thing 10 seconds later, and nothing happens. No alerts.

After much struggle (adding additional cards to the box, installing
different network drivers, reconfiguring switches and ports, and
zillion of other configuration changes), I've decided to compile Snort
in 32-bit mode.

Compiled (all with -m32) libpcap-0.9.4, pcre 6.3, and then Snort.

It started, and suddenly alerts started showing up as expected.

I saw x86_64 RPMs of Snort at various places, so I assumed (heh, rule
No.1 - "Never assume" :) it will work ok in 64-bit mode. However, it
did not for me.

I am not sure if this problem is specific to CentOS 4.2 (RHEL4), or to
all x86_64 distros, but I'd like to hear if anyone is using it in
64-bit mod, on Intel Xeon machine, without problems.

Thanks.

Vanja


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] Want to run Snort on x86_64 (CentOS 4.2/RHEL4)? Think again :), Vanja Hrustic <=
Previous by Date:  Re: [Snort-users] Creating a simple rule., Jason Brvenik
Next by Date:  [Snort-users] Same Problem with 64 Bit, Kevin Wetzel - ISP Toolz
Previous by Thread:  [Snort-users] Creating a simple rule., Paul Halliday
Next by Thread:  [Snort-users] Same Problem with 64 Bit, Kevin Wetzel - ISP Toolz
Indexes:  [Date] [Thread] [Top] [All Lists]