sancp-devel Mailing List for SA Network Connection Profiler
Brought to you by:
johncurry
Menu
▾
▴
sancp-devel — Development discussion of SANCP
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(2) |
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(5) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: John C. <joh...@me...> - 2010-07-01 16:00:50
|
Sandy, In response to your last post on freebsd-forums. These errors... usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:94: undefined reference to `prelude_client_get_analyzer' sancp.o(.text+0x243):/usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:98: undefined reference to `idmef_analyzer_new_model' sancp.o(.text+0x267):/usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:101: undefined reference to `prelude_string_set_ref_fast' sancp.o(.text+0x278):/usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:103: undefined reference to `idmef_analyzer_new_class' sancp.o(.text+0x29c):/usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:106: undefined reference to `prelude_string_set_ref_fast' sancp.o(.text+0x2ad):/usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:108: undefined reference to `idmef_analyzer_new_manufacturer' sancp.o(.text+0x2d5):/usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:111: undefined reference to `prelude_string_set_ref_fast' sancp.o(.text+0x2e6):/usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:113: undefined reference to `idmef_analyzer_new_version' sancp.o(.text+0x30e):/usr/local/etc/sancp-1.6.2-candidate.C/sancp.cc:116: undefined reference to `prelude_string_set_ref_fast' sancp.o(.text+0x6bb): In function `main': ...... ... indicate the compiler is having problems linking to the libprelude library , itself. Let's find the location of libprelude.so. Code: find /usr | grep libprelude.so /usr/local/lib/libprelude.so then add it to the PRELUDE-CFLAGS= in the Makefile. Code: PRELUDE-CFLAGS=-I/usr/local/include -L/usr/local/lib/libprelude.so now try the 'make <build>' command again. -John |
|
From: John C. <joh...@me...> - 2010-06-28 11:18:38
|
diff -N -U3 -r sancp-1.6.2-candidate.C/build_acl.cc sancp-1.6.2-candidate.C.mod/build_acl.cc
--- sancp-1.6.2-candidate.C/build_acl.cc 2007-07-07 05:42:48.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/build_acl.cc 2010-06-25 13:57:39.000000000 +0000
@@ -479,7 +479,7 @@
int size=0;
int mylen=0;
char *rule=NULL;
- char *accept="\t ,;=";
+ char accept[]="\t ,;=";
struct vars *tmp_var=NULL;
struct acl *tmp_acl=0;
struct t_ports *ports_head;
diff -N -U3 -r sancp-1.6.2-candidate.C/check_packet.cc sancp-1.6.2-candidate.C.mod/check_packet.cc
--- sancp-1.6.2-candidate.C/check_packet.cc 2007-07-07 05:54:44.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/check_packet.cc 2010-06-25 14:15:10.000000000 +0000
@@ -490,7 +490,7 @@
// Look for a fin from this packet's sender
//
- if( cn->tcpCFlags & ( (0x01)<<( direction - 1 ) ) == ( (0x01)<<( direction - 1 ) ) )
+ if( (cn->tcpCFlags & ( (0x01)<<( direction - 1 ) )) == ( (0x01)<<( direction - 1 ) ) )
{
//
diff -N -U3 -r sancp-1.6.2-candidate.C/docs/INSTALL sancp-1.6.2-candidate.C.mod/docs/INSTALL
--- sancp-1.6.2-candidate.C/docs/INSTALL 2007-07-07 03:11:05.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/docs/INSTALL 2010-06-25 15:39:10.000000000 +0000
@@ -18,7 +18,7 @@
1.a. (Prelude users only)
- Read beginning of Makefile and modify to enable PRELUDE support
+ Run ./prelude.setup
2. Compile
diff -N -U3 -r sancp-1.6.2-candidate.C/docs/README.prelude sancp-1.6.2-candidate.C.mod/docs/README.prelude
--- sancp-1.6.2-candidate.C/docs/README.prelude 1970-01-01 00:00:00.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/docs/README.prelude 2010-06-25 14:29:13.000000000 +0000
@@ -0,0 +1,6 @@
+
+To build with Prelude support
+
+1. Run ./prelude.setup
+2. Run make <platform>
+
diff -N -U3 -r sancp-1.6.2-candidate.C/gvars.h sancp-1.6.2-candidate.C.mod/gvars.h
--- sancp-1.6.2-candidate.C/gvars.h 2007-07-07 03:53:33.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/gvars.h 2010-06-25 14:43:26.000000000 +0000
@@ -26,17 +26,10 @@
/* 'null' is a place holder - in the list for field 0 */
+
enum id
#ifdef ENABLE_PRELUDE_SUPPORT
-{null,sancp_id,start_time_gmt,start_time_local,stop_time_gmt,stop_time_local,erased_time_gmt,erased_time_loca
-l,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,
-duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sf
-lags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflag
-s_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip
-_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tc
-p_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,reversed,has
-h,rid,rgid,node,zone,status,retro,src_mac,dst_mac,prelude_impact_sevirty,prelude_impact_completion,prelude_impa
-ct_type,prelude_confidence_rating,prelude_profile,sample_src_len,sample_src_hex,sample_src_asc,sample_dst_len,sample_dst_hex,sample_dst_asc,output_session_id,output_filename,start_pos,stop_pos,first_start_pos,last_stop_pos };
+{null,sancp_id,start_time_gmt,start_time_local,start_time_local_unixtime,stop_time_gmt,stop_time_local,stop_time_local_unixtime,erased_time_gmt,erased_time_local,erased_time_local_unixtime,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,endex,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac,prelude_impact_severty,prelude_impact_completion,prelude_impact_type,prelude_confidence_rating,prelude_profile,sample_src_len,sample_src_hex,sample_src_asc,sample_dst_len,sample_dst_hex,sample_dst_asc,output_session_id,output_filename,start_pos,stop_pos,first_start_pos,last_stop_pos };
#else
{null,sancp_id,start_time_gmt,start_time_local,start_time_local_unixtime,stop_time_gmt,stop_time_local,stop_time_local_unixtime,erased_time_gmt,erased_time_local,erased_time_local_unixtime,eth_proto_hex,eth_proto,ip_proto,src_ip_decimal,src_ip_dotted,src_port,dst_ip_decimal,dst_ip_dotted,dst_port,duration,timeout,src_pkts,dst_pkts,src_bytes,dst_bytes,sflags_hex,sflags,sflags_1,sflags_2,sflags_U,sflags_A,sflags_P,sflags_R,sflags_S,sflags_F,dflags_hex,dflags,dflags_1,dflags_2,dflags_U,dflags_A,dflags_P,dflags_R,dflags_S,dflags_F,cflags_hex,cflags,cflags_DA,cflags_SA,cflags_DR,cflags_SR,cflags_DF,cflags_SF,ip_len_s,ip_ttl_s,ip_df_s,tcp_wss_s,tcp_mss_s,tcp_wscale_s,tcp_sack_ok_s,tcp_nop_s,ip_len_d,ip_ttl_d,ip_df_d,tcp_wss_d,tcp_mss_d,tcp_wscale_d,tcp_sack_ok_d,tcp_nop_d,total_bytes,collect,collected,climit,tcplag,pcap,realtime,stats,endex,reversed,hash,rid,rgid,node,zone,status,retro,src_mac,dst_mac,sample_src_len,sample_src_hex,sample_src_asc,sample_dst_len,sample_dst_hex,sample_dst_asc,output_session_id,output_filename,start_pos,stop_pos,first_start_pos,last_stop_pos };
#endif
diff -N -U3 -r sancp-1.6.2-candidate.C/Makefile sancp-1.6.2-candidate.C.mod/Makefile
--- sancp-1.6.2-candidate.C/Makefile 2007-07-07 03:02:04.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/Makefile 2010-06-25 16:10:39.000000000 +0000
@@ -3,9 +3,12 @@
## HOWTO use this Makefile
## Type 'make linux', 'make bsd' or 'make solaris'
##
-## For PRELUDE-SUPPORT uncomment the next two lines (remove initial '#')
-#PRELUDE-CFLAGS=`libprelude-config --cflags`
-#PRELUDE-SUPPORT=`@(echo "#define ENABLE_PRELUDE_SUPPORT" >> platform.h)`
+##
+##
+## PRELUDE-SUPPORT: first run './prelude.setup' then 'make <build>'
+## or manually set PRELUDE-CFLAGS below to output from `libprelude-config --cflags`
+##
+PRELUDE-CFLAGS=
# ------------------------------------------------------------------- #
@@ -44,6 +47,10 @@
##
##
##
+default :
+ @make final
+ g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o sancpsignals.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o
+
final : sancp.cc Makefile
g++ -Wall $(CFLAGS) -c build_acl.cc -o build_acl.o
@@ -60,7 +67,6 @@
g++ -Wall $(CFLAGS) -c check_packet.cc -o check_packet.o
g++ -Wall $(CFLAGS) -c statefull_logging.cc -o statefull_logging.o
g++ -Wall $(CFLAGS) -c sancpsignals.cc -o sancpsignals.o
- g++ -Wall $(LFLAGS) $(CFLAGS) -o sancp sancp.o sancpsignals.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o
clean :
@(echo "" > platform.h)
diff -N -U3 -r sancp-1.6.2-candidate.C/platform.h sancp-1.6.2-candidate.C.mod/platform.h
--- sancp-1.6.2-candidate.C/platform.h 2007-07-07 06:48:59.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/platform.h 2010-06-25 16:32:26.000000000 +0000
@@ -1 +0,0 @@
-
diff -N -U3 -r sancp-1.6.2-candidate.C/prelude.setup sancp-1.6.2-candidate.C.mod/prelude.setup
--- sancp-1.6.2-candidate.C/prelude.setup 1970-01-01 00:00:00.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/prelude.setup 2010-06-25 16:46:52.000000000 +0000
@@ -0,0 +1,43 @@
+#!/bin/sh
+
+#
+# clean up past settings
+#
+make clean
+
+#
+# backup orignal makefile
+#
+if [ ! -f Makefile.distro ]; then
+ mv -f Makefile Makefile.distro
+fi
+
+#
+# detect prelude cflags
+#
+PRELUDECFLAGSHERE=`libprelude-config --cflags`
+
+#
+# if libprelude-config fails, try searching
+#
+if [ "X$PRELUDECFLAGSHERE" = "X" ]; then
+ echo " No libprelude-config --cflags output detected, searching for libprelude manually"
+ if [ -d /usr/include/libprelude ]; then
+ PRELUDECFLAGSHERE="-I/usr/include"
+ fi
+ if [ -d /usr/local/include/libprelude ]; then
+ PRELUDECFLAGSHERE="-I/usr/local/include"
+ fi
+fi
+
+
+
+# Recreate Makefile with prelude support
+echo " Applying prelude cflags: $PRELUDECFLAGSHERE"
+cat Makefile.distro | sed "s:PRELUDE-CFLAGS=:PRELUDE-CFLAGS=$PRELUDECFLAGSHERE:g" > Makefile
+
+# modifying platform.h for prelude support
+echo "#define ENABLE_PRELUDE_SUPPORT" >> platform.h
+
+# notify user
+echo "Next: Try 'make <build>'"
diff -N -U3 -r sancp-1.6.2-candidate.C/sancp.cc sancp-1.6.2-candidate.C.mod/sancp.cc
--- sancp-1.6.2-candidate.C/sancp.cc 2007-07-07 05:39:19.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/sancp.cc 2010-06-25 14:43:46.000000000 +0000
@@ -48,9 +48,11 @@
/* Modifications to this statement can cause alignment problems with 'enum id' in gvars.h */
/* Make certain all strings are represented in the same order (as barewords) in 'enum id' in gvars.h */
#ifdef ENABLE_PRELUDE_SUPPORT
-char fmtnames[MAXFLDS][MAXFLDSIZE] = { {"null"},{"sancp_id"},{"start_time_gmt"},{"start_time_local"},{"start_time_local_unixtime"},{"stop_time_gmt"},{"stop_time_local"},{"stop_time_local_unixtime"},{"erased_time_gmt"},{"erased_time_local"},{"erased_time_local_unixtime"},{"eth_proto_hex"},{"eth_proto"},{"ip_proto"},{"src_ip_decimal"},{"src_ip_dotted"},{"src_port"},{"dst_ip_decimal"},{"dst_ip_dotted"},{"dst_port"},{"duration"},{"timeout"},{"src_pkts"},{"dst_pkts"},{"src_bytes"},{"dst_bytes"},{"sflags_hex"},{"sflags"},{"sflags_1"},{"sflags_2"},{"sflags_U"},{"sflags_A"},{"sflags_P"},{"sflags_R"},{"sflags_S"},{"sflags_F"},{"dflags_hex"},{"dflags"},{"dflags_1"},{"dflags_2"},{"dflags_U"},{"dflags_A"},{"dflags_P"},{"dflags_R"},{"dflags_S"},{"dflags_F"},{"cflags_hex"},{"cflags"},{"cflags_DA"},{"cflags_SA"},{"cflags_DR"},{"cflags_SR"},{"cflags_DF"},{"cflags_SF"},{"ip_len_s"},{"ip_ttl_s"},{"ip_df_s"},{"tcp_wss_s"},{"tcp_mss_s"},{"tcp_wscale_s"},{"tcp_sack_ok_s"},{"tcp_nop_s"},{"ip_len_d"},{"ip_ttl_d"},{"ip_df_d"},{"tcp_wss_d"},{"tcp_mss_d"},{"tcp_wscale_d"},{"tcp_sack_ok_d"},{"tcp_nop_d"},{"total_bytes"},{"collect"},{"collected"},{"climit"},{"tcplag"},{"pcap"},{"realtime"},{"stats"},{"index"},{"reversed"},{"hash"},{"rid"},{"rgid"},{"node"},{"zone"},{"status"},{"retro"},{"src_mac"},{"dst_mac"},{"prelude_impact_sevirty"},{"prelude_impact_completion"},{"prelude_impact_type"},{"prelude_confidence_rating"},{"prelude_profile"},{"sample_src_len"},{"sample_src_hex"},{"sample_src_asc"},{"sample_dst_len"},{"sample_dst_hex"},{"sample_dst_asc"},{"output_session_id"},{"output_filename"},{"start_pos"},{"stop_pos"},{"first_start_pos"},{"last_stop_pos"} };
+char fmtnames[MAXFLDS][MAXFLDSIZE] = {
+{"null"}, {"sancp_id"}, {"start_time_gmt"}, {"start_time_local"}, {"start_time_local_unixtime"}, {"stop_time_gmt"}, {"stop_time_local"}, {"stop_time_local_unixtime"}, {"erased_time_gmt"}, {"erased_time_local"}, {"erased_time_local_unixtime"}, {"eth_proto_hex"}, {"eth_proto"}, {"ip_proto"}, {"src_ip_decimal"}, {"src_ip_dotted"}, {"src_port"}, {"dst_ip_decimal"}, {"dst_ip_dotted"}, {"dst_port"}, {"duration"}, {"timeout"}, {"src_pkts"}, {"dst_pkts"}, {"src_bytes"}, {"dst_bytes"}, {"sflags_hex"}, {"sflags"}, {"sflags_1"}, {"sflags_2"}, {"sflags_U"}, {"sflags_A"}, {"sflags_P"}, {"sflags_R"}, {"sflags_S"}, {"sflags_F"}, {"dflags_hex"}, {"dflags"}, {"dflags_1"}, {"dflags_2"}, {"dflags_U"}, {"dflags_A"}, {"dflags_P"}, {"dflags_R"}, {"dflags_S"}, {"dflags_F"}, {"cflags_hex"}, {"cflags"}, {"cflags_DA"}, {"cflags_SA"}, {"cflags_DR"}, {"cflags_SR"}, {"cflags_DF"}, {"cflags_SF"}, {"ip_len_s"}, {"ip_ttl_s"}, {"ip_df_s"}, {"tcp_wss_s"}, {"tcp_mss_s"}, {"tcp_wscale_s"}, {"tcp_sack_ok_s"}, {"tcp_nop_s"}, {"ip_len_d"}, {"ip_ttl_d"}, {"ip_df_d"}, {"tcp_wss_d"}, {"tcp_mss_d"}, {"tcp_wscale_d"}, {"tcp_sack_ok_d"}, {"tcp_nop_d"}, {"total_bytes"}, {"collect"}, {"collected"}, {"climit"}, {"tcplag"}, {"pcap"}, {"realtime"}, {"stats"}, {"endex"}, {"reversed"}, {"hash"}, {"rid"}, {"rgid"}, {"node"}, {"zone"}, {"status"}, {"retro"}, {"src_mac"}, {"dst_mac"}, {"prelude_impact_severty"}, {"prelude_impact_completion"}, {"prelude_impact_type"}, {"prelude_confidence_rating"}, {"prelude_profile"}, {"sample_src_len"}, {"sample_src_hex"}, {"sample_src_asc"}, {"sample_dst_len"}, {"sample_dst_hex"}, {"sample_dst_asc"}, {"output_session_id"}, {"output_filename"}, {"start_pos"}, {"stop_pos"}, {"first_start_pos"}, {"last_stop_pos"} };
#else
-char fmtnames[MAXFLDS][MAXFLDSIZE] = { {"null"},{"sancp_id"},{"start_time_gmt"},{"start_time_local"},{"start_time_local_unixtime"},{"stop_time_gmt"},{"stop_time_local"},{"stop_time_local_unixtime"},{"erased_time_gmt"},{"erased_time_local"},{"erased_time_local_unixtime"},{"eth_proto_hex"},{"eth_proto"},{"ip_proto"},{"src_ip_decimal"},{"src_ip_dotted"},{"src_port"},{"dst_ip_decimal"},{"dst_ip_dotted"},{"dst_port"},{"duration"},{"timeout"},{"src_pkts"},{"dst_pkts"},{"src_bytes"},{"dst_bytes"},{"sflags_hex"},{"sflags"},{"sflags_1"},{"sflags_2"},{"sflags_U"},{"sflags_A"},{"sflags_P"},{"sflags_R"},{"sflags_S"},{"sflags_F"},{"dflags_hex"},{"dflags"},{"dflags_1"},{"dflags_2"},{"dflags_U"},{"dflags_A"},{"dflags_P"},{"dflags_R"},{"dflags_S"},{"dflags_F"},{"cflags_hex"},{"cflags"},{"cflags_DA"},{"cflags_SA"},{"cflags_DR"},{"cflags_SR"},{"cflags_DF"},{"cflags_SF"},{"ip_len_s"},{"ip_ttl_s"},{"ip_df_s"},{"tcp_wss_s"},{"tcp_mss_s"},{"tcp_wscale_s"},{"tcp_sack_ok_s"},{"tcp_nop_s"},{"ip_len_d"},{"ip_ttl_d"},{"ip_df_d"},{"tcp_wss_d"},{"tcp_mss_d"},{"tcp_wscale_d"},{"tcp_sack_ok_d"},{"tcp_nop_d"},{"total_bytes"},{"collect"},{"collected"},{"climit"},{"tcplag"},{"pcap"},{"realtime"},{"stats"},{"index"},{"reversed"},{"hash"},{"rid"},{"rgid"},{"node"},{"zone"},{"status"},{"retro"},{"src_mac"},{"dst_mac"},{"sample_src_len"},{"sample_src_hex"},{"sample_src_asc"},{"sample_dst_len"},{"sample_dst_hex"},{"sample_dst_asc"},{"output_session_id"},{"output_filename"},{"start_pos"},{"stop_pos"},{"first_start_pos"},{"last_stop_pos"} };
+char fmtnames[MAXFLDS][MAXFLDSIZE] = {
+{"null"}, {"sancp_id"}, {"start_time_gmt"}, {"start_time_local"}, {"start_time_local_unixtime"}, {"stop_time_gmt"}, {"stop_time_local"}, {"stop_time_local_unixtime"}, {"erased_time_gmt"}, {"erased_time_local"}, {"erased_time_local_unixtime"}, {"eth_proto_hex"}, {"eth_proto"}, {"ip_proto"}, {"src_ip_decimal"}, {"src_ip_dotted"}, {"src_port"}, {"dst_ip_decimal"}, {"dst_ip_dotted"}, {"dst_port"}, {"duration"}, {"timeout"}, {"src_pkts"}, {"dst_pkts"}, {"src_bytes"}, {"dst_bytes"}, {"sflags_hex"}, {"sflags"}, {"sflags_1"}, {"sflags_2"}, {"sflags_U"}, {"sflags_A"}, {"sflags_P"}, {"sflags_R"}, {"sflags_S"}, {"sflags_F"}, {"dflags_hex"}, {"dflags"}, {"dflags_1"}, {"dflags_2"}, {"dflags_U"}, {"dflags_A"}, {"dflags_P"}, {"dflags_R"}, {"dflags_S"}, {"dflags_F"}, {"cflags_hex"}, {"cflags"}, {"cflags_DA"}, {"cflags_SA"}, {"cflags_DR"}, {"cflags_SR"}, {"cflags_DF"}, {"cflags_SF"}, {"ip_len_s"}, {"ip_ttl_s"}, {"ip_df_s"}, {"tcp_wss_s"}, {"tcp_mss_s"}, {"tcp_wscale_s"}, {"tcp_sack_ok_s"}, {"tcp_nop_s"}, {"ip_len_d"}, {"ip_ttl_d"}, {"ip_df_d"}, {"tcp_wss_d"}, {"tcp_mss_d"}, {"tcp_wscale_d"}, {"tcp_sack_ok_d"}, {"tcp_nop_d"}, {"total_bytes"}, {"collect"}, {"collected"}, {"climit"}, {"tcplag"}, {"pcap"}, {"realtime"}, {"stats"}, {"endex"}, {"reversed"}, {"hash"}, {"rid"}, {"rgid"}, {"node"}, {"zone"}, {"status"}, {"retro"}, {"src_mac"}, {"dst_mac"}, {"sample_src_len"}, {"sample_src_hex"}, {"sample_src_asc"}, {"sample_dst_len"}, {"sample_dst_hex"}, {"sample_dst_asc"}, {"output_session_id"}, {"output_filename"}, {"start_pos"}, {"stop_pos"}, {"first_start_pos"}, {"last_stop_pos"} };
#endif
/* This will be our default realtime layout */
@@ -116,8 +118,15 @@
return 0;
}
+
#endif
+void setstring (char * var,const char *value){
+ int sizex=sizeof(value);
+ var=(char *) calloc(sizex,1);
+ memcpy(var,value,sizex);
+}
+
/*************
* Main *
*************/
@@ -194,13 +203,11 @@
gVars.console_delimiter=DEFAULT_DELIMITER;
gVars.console_eor=DEFAULT_EOR;
- gVars.prelude_impact_severity=PRELUDE_IMPACT_SEVERITY;
- gVars.prelude_impact_completion=PRELUDE_IMPACT_COMPLETION;
- gVars.prelude_impact_type=PRELUDE_IMPACT_TYPE;
- gVars.prelude_confidence_rating=PRELUDE_CONFIDENCE_RATING;
- gVars.prelude_profile=PRELUDE_PROFILE;
-
-
+ setstring(gVars.prelude_impact_severity,PRELUDE_IMPACT_SEVERITY);
+ setstring(gVars.prelude_impact_completion,PRELUDE_IMPACT_COMPLETION);
+ setstring(gVars.prelude_impact_type,PRELUDE_IMPACT_TYPE);
+ setstring(gVars.prelude_confidence_rating,PRELUDE_CONFIDENCE_RATING);
+ setstring(gVars.prelude_profile,PRELUDE_PROFILE);
for(cKey=0; cKey<HASH_KEYS; cKey++)
{
diff -N -U3 -r sancp-1.6.2-candidate.C/sancp.h sancp-1.6.2-candidate.C.mod/sancp.h
--- sancp-1.6.2-candidate.C/sancp.h 2007-07-07 05:53:20.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/sancp.h 2010-06-25 13:21:32.000000000 +0000
@@ -169,7 +169,7 @@
#define false 0
#define PROMISC 1
#define MAX_VAR 256
-#define MAXFLDS 101 // define number of elements in fmtnames[]
+#define MAXFLDS 106 // define number of elements in fmtnames[]
#define MAXFLDSIZE 27 // define largest element in fmtnames[MAXFLDS][MAXFLDLEN]
#define MAXENTRYLEN 256
#define DELIMITER '|'
diff -N -U3 -r sancp-1.6.2-candidate.C/statefull_logging.cc sancp-1.6.2-candidate.C.mod/statefull_logging.cc
--- sancp-1.6.2-candidate.C/statefull_logging.cc 2007-07-06 18:10:26.000000000 +0000
+++ sancp-1.6.2-candidate.C.mod/statefull_logging.cc 2010-06-25 13:52:35.000000000 +0000
@@ -32,6 +32,36 @@
return (((x>>8)&0x00FF)+((x<<8)&0xFF00));
}
+void snprintf_inaddr_toa(char *buf, int len, struct in_addr *in_addr)
+{
+ snprintf(buf,len,"%s",inet_ntoa(*in_addr));
+}
+
+void snprintf_inaddr_tohl(char *buf, int len, struct in_addr *inaddr)
+{
+ snprintf(buf,len,"%lu",(unsigned long) ntohl(*(unsigned long*)(inaddr)));
+}
+
+void snprintf_gmtime(char *buf, int len, time_t timeval)
+{
+ char currenttime[80];
+ strftime(currenttime,80,"%Y-%m-%d %T",(struct tm*)gmtime(&timeval));
+ snprintf(buf,len,"%s",currenttime);
+}
+
+void snprintf_localtime(char *buf, int len, time_t timeval)
+{
+ char currenttime[80];
+ strftime(currenttime,80,"%Y-%m-%d %T",(struct tm*)localtime(&timeval));
+ snprintf(buf,len,"%s",currenttime);
+}
+
+void snprintf_local_unixtime(char *buf, int len, time_t timeval, const char delimiter)
+{
+ int currenttime;
+ currenttime = (int) time(&timeval);
+ snprintf(buf,len,"%d",currenttime);
+}
void print_header(outputFileHandle *fH){
extern char fmtnames[MAXFLDS][MAXFLDSIZE];
char LOG[MAXENTRYLEN+1];
@@ -133,6 +163,62 @@
if(gVars.sfH) record(cn,gVars.sfH);
}
+ if(cn->fH){
+
+ cn->fH->destroy();
+ cn->fH=0;
+ }
+
+ tmpptr=cn;
+ cn=tmpptr->next;
+ if(gVars.expired_cnxs.tail==tmpptr){
+ gVars.expired_cnxs.head=NULL;
+ gVars.expired_cnxs.tail=NULL;
+ }
+ /* free any sampling data */
+ if(tmpptr->sampleBufferPtr[0]){
+ tmpptr->sampleBufferPtr[0]->Free();
+ tmpptr->sample[0]=0;
+ }
+ if(tmpptr->sampleBufferPtr[1]){
+ tmpptr->sampleBufferPtr[1]->Free();
+ tmpptr->sample[1]=0;
+ }
+ tmpptr->CBufferPtr->Free();
+ tmpptr=NULL;
+ }
+ gVars.lasterase=gVars.timeptr.tv_sec;
+ if(gVars.burst_mode){
+ // Close current stats filehandle now, and prepare the name for the next output file
+ // it won't actually 'open' till we try to write to the file (when we're called again
+ // or when we exit and clear connections from memory)
+ if(gVars.sfH){ gVars.sfH->destroy(); gVars.sfH=NULL; }
+ if(!gVars.sfH && gVars.smode){
+ tmp=createFileName(gVars.stats_fname,gVars.smode == OMODE_TSFILENAME);
+ gVars.sfH = new outputFileHandle(tmp,gVars.stats_fmt,gVars.stats_fmt_len,APPEND_MODE);
+ gVars.sfH->setFormat(gVars.stats_fmt,gVars.stats_fmt_len);
+ gVars.sfH->setEor(gVars.stats_eor);
+ gVars.sfH->setDelimiter(gVars.stats_delimiter);
+ free(tmp);
+ }
+
+ }else{
+ // We do nothing and leave the file open
+ // We'll close the file when we terminate or receive a kill HUP signal
+
+ }
+ // Call pthread_wait here - when we decide to use threads
+#ifndef PLATFORM_SOLARIS
+ if(!gVars.use_pcap_time){
+#ifdef DEBUG
+ printf("Rearming alarm for %d secs\n",gVars.default_flush_interval);
+#endif
+ alarm(gVars.default_flush_interval);
+ }
+#endif
+}
+
+
#ifdef ENABLE_PRELUDE_SUPPORT
@@ -243,9 +329,9 @@
/* alert.source(0).node.address(0) (ip address) */
if(cn->reversed==CNX_REVERSED){
- snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip);
}else{
- snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip);
}
add_idmef_object(idmef, "alert.source(0).node.address(0).category",
"ipv4-addr");
@@ -318,9 +404,9 @@
/* alert.target(0).node.address(0) (ip address) */
if(cn->reversed==CNX_REVERSED){
- snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip,'\0');
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->s_ip);
}else{
- snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip,'\0');
+ snprintf_inaddr_toa(LOG,MAXENTRYLEN,(struct in_addr*) &cn->d_ip);
}
add_idmef_object(idmef, "alert.target(0).node.address(0).category",
"ipv4-addr");
@@ -340,61 +426,6 @@
#endif
- if(cn->fH){
-
- cn->fH->destroy();
- cn->fH=0;
- }
-
- tmpptr=cn;
- cn=tmpptr->next;
- if(gVars.expired_cnxs.tail==tmpptr){
- gVars.expired_cnxs.head=NULL;
- gVars.expired_cnxs.tail=NULL;
- }
- /* free any sampling data */
- if(tmpptr->sampleBufferPtr[0]){
- tmpptr->sampleBufferPtr[0]->Free();
- tmpptr->sample[0]=0;
- }
- if(tmpptr->sampleBufferPtr[1]){
- tmpptr->sampleBufferPtr[1]->Free();
- tmpptr->sample[1]=0;
- }
- tmpptr->CBufferPtr->Free();
- tmpptr=NULL;
- }
- gVars.lasterase=gVars.timeptr.tv_sec;
- if(gVars.burst_mode){
- // Close current stats filehandle now, and prepare the name for the next output file
- // it won't actually 'open' till we try to write to the file (when we're called again
- // or when we exit and clear connections from memory)
- if(gVars.sfH){ gVars.sfH->destroy(); gVars.sfH=NULL; }
- if(!gVars.sfH && gVars.smode){
- tmp=createFileName(gVars.stats_fname,gVars.smode == OMODE_TSFILENAME);
- gVars.sfH = new outputFileHandle(tmp,gVars.stats_fmt,gVars.stats_fmt_len,APPEND_MODE);
- gVars.sfH->setFormat(gVars.stats_fmt,gVars.stats_fmt_len);
- gVars.sfH->setEor(gVars.stats_eor);
- gVars.sfH->setDelimiter(gVars.stats_delimiter);
- free(tmp);
- }
-
- }else{
- // We do nothing and leave the file open
- // We'll close the file when we terminate or receive a kill HUP signal
-
- }
- // Call pthread_wait here - when we decide to use threads
-#ifndef PLATFORM_SOLARIS
- if(!gVars.use_pcap_time){
-#ifdef DEBUG
- printf("Rearming alarm for %d secs\n",gVars.default_flush_interval);
-#endif
- alarm(gVars.default_flush_interval);
- }
-#endif
-}
-
void expire_connections()
{
extern gvars gVars;
@@ -472,36 +503,6 @@
}
}
-void snprintf_inaddr_toa(char *buf, int len, struct in_addr *in_addr)
-{
- snprintf(buf,len,"%s",inet_ntoa(*in_addr));
-}
-
-void snprintf_inaddr_tohl(char *buf, int len, struct in_addr *inaddr)
-{
- snprintf(buf,len,"%lu",(unsigned long) ntohl(*(unsigned long*)(inaddr)));
-}
-
-void snprintf_gmtime(char *buf, int len, time_t timeval)
-{
- char currenttime[80];
- strftime(currenttime,80,"%Y-%m-%d %T",(struct tm*)gmtime(&timeval));
- snprintf(buf,len,"%s",currenttime);
-}
-
-void snprintf_localtime(char *buf, int len, time_t timeval)
-{
- char currenttime[80];
- strftime(currenttime,80,"%Y-%m-%d %T",(struct tm*)localtime(&timeval));
- snprintf(buf,len,"%s",currenttime);
-}
-
-void snprintf_local_unixtime(char *buf, int len, time_t timeval, const char delimiter)
-{
- int currenttime;
- currenttime = (int) time(&timeval);
- snprintf(buf,len,"%d",currenttime);
-}
void record(struct cnx *cn, outputFileHandle *fH)
{
|
|
From: John C. <joh...@me...> - 2010-06-24 12:39:41
|
I've attached a second patch to resolve the second error reported. sancp.cc:51: error: too many initializers for 'char [101][27]' -John Curry |
|
From: John C. <joh...@me...> - 2010-06-24 02:16:02
|
> Hello > >Thank you for the answer, > >The problem was not yet solved, you can find details in the forum >http://forums.freebsd.org/showthread.php?t=15260 > >Best Regards There is a format problem in the prelude-related source in gvars.h. Lines 31 - 39 need to be joined into a single line without spaces. See attached. cd sancp-1.6.2-candidate.C patch < sancp-1.6.2-candidate.C.prelude.20100623.patch.diff -John Curry |
|
From: John C. <joh...@me...> - 2010-06-24 02:01:44
|
> Hello > >Thank you for the answer, > >The problem was not yet solved, you can find details in the forum >http://forums.freebsd.org/showthread.php?t=15260 > >Best Regards There is a format problem in the prelude-related source in gvars.h. Lines 31 - 39 need to be joined into a single line without spaces. See attached. -John Curry |
|
From: John C. <joh...@me...> - 2010-06-23 03:15:45
|
>Hello, > >I try to compile sancp-1.6.2-candidate.C on my bsd box (FreeBSD 8.0) and it's impossible many errors because of the fact >I need to use it with prelude > >You can find details on the freebsd forum : http://forums.freebsd.org/showthread.php?t=15260 > >Best Regards Hello Sandy, Sorry for the delay, I am having problems accessing the maillist admin for sourceforge so I am just emailing you direct and cc'ing the sancp-devel list to get you a quicker response. As you have determined I do not know how to properly include the output from the command `libprelude-config --cflags` into a variable in the Makefile. Sorry you are having this issue, I see now that I could have just included a script to build the Makefile for prelude support For now you can try to manually applying the following changes to the Makefile. 1. Run the command libprelude-config [a] and include its output in the Makefile [b]. [a] libprelude-config --cflags [b] PRELUDE-CFLAGS= <include output from libprelude-config here> 2. Also, make certain platform.h contains the following text: #define ENABLE_PRELUDE_SUPPORT 3. Now try compiling with 'make bsd' again and let me know what happens. Thanks, -John Curry |
|
From: John C. <joh...@me...> - 2009-12-18 23:30:30
|
Usage:
sancp -L <pcaplist> -c sancp.conf
where: <pcaplist> is a file which contains an ordered list of pcap
files
John Curry wrote:
> This patch adds the ability to process multiple pcap files from a list.
> This applies to sancp-1.6.1-stable only.
>
> cd sancp-1.6.1-stable/
> patch < sancp-1.6.1-stable.pcaplist.patch
>
> -John Curry
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> ------------------------------------------------------------------------
>
> _______________________________________________
> Sancp-devel mailing list
> San...@li...
> https://lists.sourceforge.net/lists/listinfo/sancp-devel
>
|
|
From: John C. <joh...@me...> - 2009-12-18 23:23:55
|
This patch adds the ability to process multiple pcap files from a list.
This applies to sancp-1.6.1-stable only.
cd sancp-1.6.1-stable/
patch < sancp-1.6.1-stable.pcaplist.patch
-John Curry
|
|
From: zsentient <zse...@ms...> - 2008-08-20 06:09:07
|
John Curry, Thank you for the quick response. A few questions: 1. I was of the understanding that sancp-1.6.1 did not support Solaris10. Is this correct? 2. I am attempting to compile sancp-1.6.2-candidate.C on Solaris 10. I have verified libpcap.a is installed under /usr/local/lib. I set LIBPCAP variable at the shell (bash), linked libpcap.a to /usr/lib & /lib, added the LIBPCAP line to the Makefile, and executed a "make clean; make solaris" to no avail. Any other suggestions? -----Original Message----- From: John Curry [mailto:joh...@me...] Sent: Tuesday, August 19, 2008 4:58 AM To: zsentient Cc: san...@li... Subject: Re: [Sancp-devel] SANCP not compiling on Solaris 10 Hello zsentient, The errors indicate that the compiler does not know the location of the libpcap library on your system (i.e. libpcap.a or libpcap-???.so). You will need to edit LFLAGS in the Makefile to include the location of libpcap. For sancp-1.6.1, add the location to the LFLAGS variable (located near the top of the Makefile.) LFLAGS= -L/usr/local/libpcap/lib/libpcap-0.9.8.so make solaris For sancp-1.6.2+, you can change LIBPCAP to the point to the proper location. LIBPCAP=/usr/lib/libpcap.a -John Curry zsentient wrote: > > Any assistance would be appreciated with this error: > > > > root:sensor# *uname -a* > > SunOS sensor 5.10 Generic_127127-11 sun4u sparc SUNW,Ultra-4 > > > > root:sensor# *make solaris* > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c build_acl.cc -o > build_acl.o > > build_acl.cc: In function `void parse_default(char*, char*)': > > build_acl.cc:830: warning: unused variable 'reset_alarm' > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c misc_functs.cc -o > misc_functs.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c outputFileHandle.cc > -o outputFileHandle.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c apply_rule.cc -o > apply_rule.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c decode.cc -o decode.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c fileHandle.cc -o > fileHandle.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c MemoryPool.cc -o > MemoryPool.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c pcapFileHandle.cc -o > pcapFileHandle.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c sancp.cc -o sancp.o > > gcc -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c pcap_functions.c -o > pcap_functions.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c permissions.cc -o > permissions.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c check_packet.cc -o > check_packet.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c statefull_logging.cc > -o statefull_logging.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c sancpsignals.cc -o > sancpsignals.o > > g++ -Wall -lresolv -lnsl -lpcap -lsocket -O3 -g -ggdb -Wall > -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 > -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib > -L/usr/local/lib -o sancp sancp.o sancpsignals.o misc_functs.o > check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o > pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o > permissions.o outputFileHandle.o > > Undefined first referenced > > symbol in file > > pcap_setfilter pcap_functions.o > > pcap_open_live pcap_functions.o > > pcap_open_offline pcap_functions.o > > pcap_geterr pcap_functions.o > > pcap_close pcap_functions.o > > pcap_dump pcapFileHandle.o > > pcap_loop pcap_functions.o > > pcap_dump_open pcapFileHandle.o > > pcap_dump_close pcapFileHandle.o > > pcap_datalink sancp.o > > pcap_compile pcap_functions.o > > ld: fatal: Symbol referencing errors. No output written to sancp > > collect2: ld returned 1 exit status > > *** Error code 1 > > make: Fatal error: Command failed for target `solaris' > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > ------------------------------------------------------------------------ > > _______________________________________________ > Sancp-devel mailing list > San...@li... > https://lists.sourceforge.net/lists/listinfo/sancp-devel > |
|
From: John C. <joh...@me...> - 2008-08-19 10:58:27
|
Hello zsentient, The errors indicate that the compiler does not know the location of the libpcap library on your system (i.e. libpcap.a or libpcap-???.so). You will need to edit LFLAGS in the Makefile to include the location of libpcap. For sancp-1.6.1, add the location to the LFLAGS variable (located near the top of the Makefile.) LFLAGS= -L/usr/local/libpcap/lib/libpcap-0.9.8.so make solaris For sancp-1.6.2+, you can change LIBPCAP to the point to the proper location. LIBPCAP=/usr/lib/libpcap.a -John Curry zsentient wrote: > > Any assistance would be appreciated with this error: > > > > root:sensor# *uname -a* > > SunOS sensor 5.10 Generic_127127-11 sun4u sparc SUNW,Ultra-4 > > > > root:sensor# *make solaris* > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c build_acl.cc -o > build_acl.o > > build_acl.cc: In function `void parse_default(char*, char*)': > > build_acl.cc:830: warning: unused variable 'reset_alarm' > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c misc_functs.cc -o > misc_functs.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c outputFileHandle.cc > -o outputFileHandle.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c apply_rule.cc -o > apply_rule.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c decode.cc -o decode.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c fileHandle.cc -o > fileHandle.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c MemoryPool.cc -o > MemoryPool.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c pcapFileHandle.cc -o > pcapFileHandle.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c sancp.cc -o sancp.o > > gcc -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c pcap_functions.c -o > pcap_functions.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c permissions.cc -o > permissions.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c check_packet.cc -o > check_packet.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c statefull_logging.cc > -o statefull_logging.o > > g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops > -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include > -I/usr/include -L/usr/lib -L/usr/local/lib -c sancpsignals.cc -o > sancpsignals.o > > g++ -Wall -lresolv -lnsl -lpcap -lsocket -O3 -g -ggdb -Wall > -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 > -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib > -L/usr/local/lib -o sancp sancp.o sancpsignals.o misc_functs.o > check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o > pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o > permissions.o outputFileHandle.o > > Undefined first referenced > > symbol in file > > pcap_setfilter pcap_functions.o > > pcap_open_live pcap_functions.o > > pcap_open_offline pcap_functions.o > > pcap_geterr pcap_functions.o > > pcap_close pcap_functions.o > > pcap_dump pcapFileHandle.o > > pcap_loop pcap_functions.o > > pcap_dump_open pcapFileHandle.o > > pcap_dump_close pcapFileHandle.o > > pcap_datalink sancp.o > > pcap_compile pcap_functions.o > > ld: fatal: Symbol referencing errors. No output written to sancp > > collect2: ld returned 1 exit status > > *** Error code 1 > > make: Fatal error: Command failed for target `solaris' > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > ------------------------------------------------------------------------ > > _______________________________________________ > Sancp-devel mailing list > San...@li... > https://lists.sourceforge.net/lists/listinfo/sancp-devel > |
|
From: zsentient <zse...@ms...> - 2008-08-19 07:30:46
|
Any assistance would be appreciated with this error: root:sensor# uname -a SunOS sensor 5.10 Generic_127127-11 sun4u sparc SUNW,Ultra-4 root:sensor# make solaris g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c build_acl.cc -o build_acl.o build_acl.cc: In function `void parse_default(char*, char*)': build_acl.cc:830: warning: unused variable 'reset_alarm' g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c misc_functs.cc -o misc_functs.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c outputFileHandle.cc -o outputFileHandle.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c apply_rule.cc -o apply_rule.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c decode.cc -o decode.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c fileHandle.cc -o fileHandle.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c MemoryPool.cc -o MemoryPool.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c pcapFileHandle.cc -o pcapFileHandle.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c sancp.cc -o sancp.o gcc -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c pcap_functions.c -o pcap_functions.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c permissions.cc -o permissions.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c check_packet.cc -o check_packet.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c statefull_logging.cc -o statefull_logging.o g++ -Wall -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -c sancpsignals.cc -o sancpsignals.o g++ -Wall -lresolv -lnsl -lpcap -lsocket -O3 -g -ggdb -Wall -fomit-frame-pointer -funroll-loops -DBYTE_ORDER=1234 -DBIG_ENDIAN=1234 -I./ -I/usr/local/include -I/usr/include -L/usr/lib -L/usr/local/lib -o sancp sancp.o sancpsignals.o misc_functs.o check_packet.o statefull_logging.o build_acl.o apply_rule.o decode.o pcap_functions.o pcapFileHandle.o fileHandle.o MemoryPool.o permissions.o outputFileHandle.o Undefined first referenced symbol in file pcap_setfilter pcap_functions.o pcap_open_live pcap_functions.o pcap_open_offline pcap_functions.o pcap_geterr pcap_functions.o pcap_close pcap_functions.o pcap_dump pcapFileHandle.o pcap_loop pcap_functions.o pcap_dump_open pcapFileHandle.o pcap_dump_close pcapFileHandle.o pcap_datalink sancp.o pcap_compile pcap_functions.o ld: fatal: Symbol referencing errors. No output written to sancp collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `solaris' |
|
From: John C. <joh...@me...> - 2008-04-11 06:10:35
|
Try adding the following to the top of the file fileHandle.cc
#define __USE_LARGEFILE64
Basically, this should allow the appropriate open() function to be
called, as defined on your system in stdio.h.
-John
>
> David J. Bianco wrote:
>
>> Hi, John. I'm playing around some more with pcap indexing and SANCP.
>> This time, I have implemented a new PCAP system for sguil that uses
>> sancp 1.6.2 C5 to capture and index simultaneously, and then to use the
>> index to retrieve the packets.
>>
>> I had this working ok in my tiny testbed, but when I put it on one of
>> my production sensors, it blew up fairly quickly. It seems SANCP doesn't
>> like when my index file hit 2GB. Here's a bit of the strace output:
>>
>> --------------------------------------------------------------------
>> open("/nsm/snort_data/sensor/dailylogs/2008-04-10/index",
>> O_WRONLY|O_CREAT|O_APPEND, 0666) = 7
>> fstat64(7, {st_mode=S_IFREG|0644, st_size=2147483647, ...}) = 0
>> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
>> 0xb7ff3000
>> fstat64(7, {st_mode=S_IFREG|0644, st_size=2147483647, ...}) = 0
>> _llseek(7, 2147483647, [2147483647], SEEK_SET) = 0
>> write(7, "5187618171926251040", 19) = -1 EFBIG (File too large)
>> --- SIGXFSZ (File size limit exceeded) @ 0 (0) ---
>> +++ killed by SIGXFSZ +++
>> --------------------------------------------------------------------
>>
>> And sure enough, the size of the index file was exactly 2GB.
>>
>> Now, I have other files in that directory that are routinely over 2GB.
>> When snort captures the packets, it often writes snort.log.XXXXXX files
>> that are 2.5GB or more, without any problems. Any idea about what's
>> holding SANCP back?
>>
>> Thanks,
>> David
>>
>>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Sancp-devel mailing list
> San...@li...
> https://lists.sourceforge.net/lists/listinfo/sancp-devel
>
|
|
From: John C. <joh...@me...> - 2008-04-11 00:08:34
|
Hello David,
Thanks for the email on this. I'll need to review the code to provide
you with an answer and a fix. I have an upcoming release for C6 to
include other problems reported with C5, so it looks like I'll need
include a fix for this as well.
Thanks,
-John
David J. Bianco wrote:
> Hi, John. I'm playing around some more with pcap indexing and SANCP.
> This time, I have implemented a new PCAP system for sguil that uses
> sancp 1.6.2 C5 to capture and index simultaneously, and then to use the
> index to retrieve the packets.
>
> I had this working ok in my tiny testbed, but when I put it on one of
> my production sensors, it blew up fairly quickly. It seems SANCP doesn't
> like when my index file hit 2GB. Here's a bit of the strace output:
>
> --------------------------------------------------------------------
> open("/nsm/snort_data/sensor/dailylogs/2008-04-10/index",
> O_WRONLY|O_CREAT|O_APPEND, 0666) = 7
> fstat64(7, {st_mode=S_IFREG|0644, st_size=2147483647, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0xb7ff3000
> fstat64(7, {st_mode=S_IFREG|0644, st_size=2147483647, ...}) = 0
> _llseek(7, 2147483647, [2147483647], SEEK_SET) = 0
> write(7, "5187618171926251040", 19) = -1 EFBIG (File too large)
> --- SIGXFSZ (File size limit exceeded) @ 0 (0) ---
> +++ killed by SIGXFSZ +++
> --------------------------------------------------------------------
>
> And sure enough, the size of the index file was exactly 2GB.
>
> Now, I have other files in that directory that are routinely over 2GB.
> When snort captures the packets, it often writes snort.log.XXXXXX files
> that are 2.5GB or more, without any problems. Any idea about what's
> holding SANCP back?
>
> Thanks,
> David
>
|
|
From: John C. <joh...@me...> - 2008-01-22 19:42:54
|
Hello Mark Petersen, You code should work on 64bit machines, however, I would recommend using 'unsigned long long'. Use of 'unsigned long' on 32bit machines should result in a 32bit data type rather than the desired 64bit data type. This data type is specifically used for defining 64bit counters like connection id, bytes and packet counters. typedef unsigned long long u_int64_t -John Curry Petersen, Mark wrote: > I'm trying to compile sancp on and amd64 Ubuntu 6.10 box. I get a > compile error: > > mpetersen@scraper:/usr/local/src/IDS/sancp/sancp-1.6.2-candidate.C.5$ > make linux > make[1]: Entering directory > `/usr/local/src/IDS/sancp/sancp-1.6.2-candidate.C.5' > g++ -Wall -Os -s -I/usr/include/pcap -I/usr/local/include/pcap -I./ > -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb -L/usr/local/pcap/lib > -c build_acl.cc -o build_acl.o > fileHandle.h:42: error: conflicting declaration ~typedef long long > unsigned int u_int64_t" > /usr/include/sys/types.h:204: error: ~u_int64_t" has a previous > declaration as ~typedef long unsigned int u_int64_t" > gvars.h:21: error: conflicting declaration ~typedef long long unsigned > int u_int64_t" > /usr/include/sys/types.h:204: error: ~u_int64_t" has a previous > declaration as ~typedef long unsigned int u_int64_t" > build_acl.cc: In function ~void parse_args(int, char**)": > build_acl.cc:174: warning: format ~%llu" expects type ~long long > unsigned int", but argument 4 has type ~u_int64_t" > build_acl.cc:176: warning: format ~%llu" expects type ~long long > unsigned int", but argument 4 has type ~u_int64_t" > make[1]: *** [final] Error 1 > make[1]: Leaving directory > `/usr/local/src/IDS/sancp/sancp-1.6.2-candidate.C.5' > make: *** [linux] Error 2 > > > So I grep for the typedef and find: > > fileHandle.h:typedef unsigned long long u_int64_t; > gvars.h:typedef unsigned long long int u_int64_t; > > I changed both of these to long unsigned int and it does compile, but > I'm not really sure what the ramifications of such a change would be. > > mark > > > > > |
|
From: Petersen, M. <MPe...@gs...> - 2008-01-22 15:47:40
|
I attempted to e-mail this to john dot curry at metre but it bounced. I'm not on the mailing list, but hopefully this gets through... ----- I'm trying to compile sancp on an amd64 Ubuntu 6.10 box. I get a compile error: mpetersen@scraper:/usr/local/src/IDS/sancp/sancp-1.6.2-candidate.C.5$ make linux make[1]: Entering directory `/usr/local/src/IDS/sancp/sancp-1.6.2-candidate.C.5' g++ -Wall -Os -s -I/usr/include/pcap -I/usr/local/include/pcap -I./ -L/usr/lib/libsocket.so -g -L/opt/csw/lib -ggdb -L/usr/local/pcap/lib -c build_acl.cc -o build_acl.o fileHandle.h:42: error: conflicting declaration ~typedef long long unsigned int u_int64_t" /usr/include/sys/types.h:204: error: ~u_int64_t" has a previous declaration as ~typedef long unsigned int u_int64_t" gvars.h:21: error: conflicting declaration ~typedef long long unsigned int u_int64_t" /usr/include/sys/types.h:204: error: ~u_int64_t" has a previous declaration as ~typedef long unsigned int u_int64_t" build_acl.cc: In function ~void parse_args(int, char**)": build_acl.cc:174: warning: format ~%llu" expects type ~long long unsigned int", but argument 4 has type ~u_int64_t" build_acl.cc:176: warning: format ~%llu" expects type ~long long unsigned int", but argument 4 has type ~u_int64_t" make[1]: *** [final] Error 1 make[1]: Leaving directory `/usr/local/src/IDS/sancp/sancp-1.6.2-candidate.C.5' make: *** [linux] Error 2 So I grep for the typedef and find: fileHandle.h:typedef unsigned long long u_int64_t; gvars.h:typedef unsigned long long int u_int64_t; I changed both of these to long unsigned int and it does compile, but I'm not really sure what the ramifications of such a change would be. mark |
|
From: John C. <joh...@me...> - 2007-07-07 07:38:27
|
Greetings all,
SANCP version 1.6.1 has made it one year without any bugs being reported.
I've uploaded a new release on sourceforge for sancp-1.6.1-stable to
mark this point in development.
This version consists primarily of the current 1.6.1 beta code; patches
a, b, c and d along with a few minor typographical changes.
http://sancp.sourceforge.net
http://metre.net/sancp.html
Please note version 1.6.2 is the current development branch that
contains a number of major code changes:
- add solaris support
- add console output; (e.g. used to print running configuration
and ongoing connections)
- add new output fields to include sample of payload data from
source or destination for stats and realtime
- add pcap index support; created to support locating packets in
large pcap files without parsing.
(new output fields: output_filename, start_pos and
stop_pos )
- add prelude compile-time support
(edit Makefile, uncomment: PRELUDE_SUPPORT and
PRELUDE_CFLAGS )
- improve daemon mode to store process id in file name 'sancp.pid'
- improve signal-handling (set flag and return method allows for
timely processing of signal requests)
- remove README from binary to docs/ to reduce footprint and
code maintenance
- replace typographical references to '80211' with '8021Q'
SANCP 1.6.2 is still in Beta. Its current release candidate is C.
Please report bugs to san...@li....
Thank you,
-John
|
|
From: John C. <joh...@me...> - 2006-09-26 22:47:39
|
Test email |
|
From: John C. <joh...@me...> - 2006-09-26 21:13:33
|