Matt Jonkman of Emerging Threats asked me to have a look at the existing Snortsam 2.8.0.1 patch as people were continuing to report problems with it. I updated it to compile without compiler warnings, build cleanly with debugging enabled, build cleanly with Snort’s IPv6 support enabled and added a check so it won’t act on alerts in IPv6 packets since the Snortsam framework does not support IPv6. Finally I removed the patch script so it’s provided as a ‘normal’ diff. Here is the patch: http://www.inliniac.net/files/snortsam-2.8.0.1.diff
Here are the instructions for getting your Snort 2.8.0.1 source patched:
Make sure you have a clean Snort 2.8.0.1 tree, then patch it:
cd snort-2.8.0.1
patch -p1 < ../snortsam-2.8.0.1.diff
Next, run ‘autojunk.sh’ to update the build system (you need to have libtoolize, aclocal, autoheader, autoconf and automake installed). After this, configure and build Snort normally:
./configure <your configure options>
make
make install
Thats it.
Thanks to Matt Jonkman of Emerging Threats for paying me to do this and CunningPike for doing the first iterations of the patch!
Hi,
Richard Bejtlich from http://taosecurity.blogspot.com recommended that I ask this question at this blog. I wasn’t sure where the best place was to post my question so I’m asking via the comments:
Do you know of any recent updates about running Snort_inline on a FreeBSD bridge? It’s my understanding that FreeBSD as it currently stands isn’t capable of sending packets to Snort_inline when the machine is configured as a bridge.
Thanks!
Snort_inline on FreeBSD uses IPFW’s divert sockets. The problem is that divert sockets don’t work on a FreeBSD bridge. But I’m not a *BSD expert (or even user) so I could have missed other options or recent changes to FreeBSD.