This document explains in detail how to Install, Run and Build SNORT� V2.8-531A
on HP OpenVMS.
You can also find this document at SNORT$COMMON:[DOC]snort_vms_readme.txt
� Copyright 2010 Hewlett-Packard Development Company, L.P.
Snort is a registered trademark of Sourcefire, Inc.
Table of contents:
------------------
1.0) SNORT� V2.8-531A for HP OpenVMS
1.1) Pre-requisites to Install SNORT� for OpenVMS
1.2) Compile time features enabled by Snort�
1.3) Installing Snort�
1.4) Uninstalling Snort�
2.0) Running SNORT� V2.8-531A for HP OpenVMS
2.1) Running Snort� non-interactive (as a Daemon)
2.2) Running Snort� interactive
2.3) Stopping Snort� non-interactive
2.4) Stopping Snort� interactive
2.5) Installing and loading registered rules
2.5.1) Building and loading SO rules
2.6) Viewing SNORT� alert or log files
2.7) Logging alerts and messages into Syslog
2.8) Customizing run time options of snort�
2.9) Use of Double quotes for uppercase arguments
2.10) Configure MySQL database logging
2.11) Running multiple instance of Snort�
2.12) Loading dynamic libraries
2.13) Rules vs Memory
2.14) Limitations/Features not supported
2.15) Trouble shooting snort�
3.0) Building Snort� V2.8-531A on HP OpenVMS
3.1) How to get Snort� sources
3.2) Prerequisites to build Snort� V2.8-531A on HP OpenVMS
3.3) Setting up the Snort� on OpenVMS build environment
3.4) Start building Snort� V2.8-531A on OpenVMS
3.5) Building Syslog for Snort�
3.6) Warnings to be ignored during build
3.7) Unsupported Snort� options on HP OpenVMS
3.8) Trouble shooting build
3.9) Source listings and Map files
3.10) How to test your Snort� build
3.11) How to create PCSI kit for Snort� on HP OpenVMS
3.12) Building Snort� in debug mode
3.13) How to run snort� in debug mode
-----------------------------------------------------------
1.0) SNORT� V2.8-531A for HP OpenVMS
-----------------------------------------------------------
Snort� is an open source network intrusion detection and prevention system.
The current version of SNORT�, V2.8-531A, for OpenVMS is based on Snort� V2.8.5.3.
For more information on SNORT�, visit: http://www.snort.org/
1.1) Prerequisites to Install SNORT� For OpenVMS:
------------------------------------------------
Operating System/Architecture:
- HP IA64VMS OPENVMS V8.3-1H1 onwards
Other Products:
- HP I64VMS SSL V1.4-335
- HP I64VMS TCPIP V5.6-9ECO5 or later
- JFP I64VMS MYSQL V4.1-14 or later version of MYSQL051 built with SSL V1.4-335
(If MySQL logging is required)
- JFP I64VMS ZLIB V1.2-3 or later
Disk:
- ODS-5 disk
Prerequisites to build SO_RULES ( Dynamic rules )
- HP I64VMS PERL V5.8-6 or later
- HP I64VMS GNV V2.1-3
- HP I64VMS C V7.3-18 or later
Snort� for OpenVMS is not supported on any third-party TCP/IP network product such as MultiNet or TCPware
from Process Software Corporation.
For improved performance install the latest TCPIP, Update and CRTL kits.
1.2) Compile time features enabled by Snort�:
--------------------------------------------
The following compile time features are enabled at the time of running configure:
i) IPV6
ii) Dynamic Plugins
iii) Target-based
iv) Decoder-preprocessor-rules
v) Performance monitor
vi) Performance profiling
vii) Timestat statistics
viii) Reload-on-error feature
ix) Logging into MySQL database
snort.exe has been built with the following options:
./configure --enable-dependency-tracking --enable-shared --enable-static \
--enable-fast-install --disable-libtool-lock --enable-dynamicplugin \
--enable-ipv6 --enable-targetbased --enable-decoder-preprocessor-rules \
--enable-ppm --enable-timestats --enable-perfprofiling --enable-pthread \
--enable-ppm-test --enable-reload --enable-reload-error-restart \
--with-mysql --with-mysql-includes=/MYSQL051_ROOT/000000/include \
--with-mysql-libraries=/MYSQL051_ROOT/000000/vms \
CPPFLAGS=-I/SNORT_ROOT/VMS_SPECIFIC
OpenVMS port of PCRE-7.8 is used to build SNORT� V2.8-531A
1.3) Installing Snort�:
----------------------
i) Download the kit from:
http://h71000.www7.hp.com/openvms/products/snort/index.html
To download the Snort� pcsi kit from the OpenVMS web site, fill out and
submit the "Snort� for OpenVMS registration" form at the above
URL.
ii) Copy the self extracting file to the local system.
iii) Expand the self-extracting file
$ RUN HP-I64VMS-SNORT-V0208-531A.ZIPEXE
iv) Perform a "$product install SNORT". Snort� will now be installed
at the following locations:
- SYS$COMMON:[SNORT...]
- Will have the Snort� common files
- SYS$SPECIFIC:[SNORT...]
- Initially will have empty directory tree.
- The SNORT� node specific files like logs get stored here.
The SNORT� configuration files which are present in
SYS$COMMON:[SNORT.ETC] can be modified for a specific node
(helpful in the case of satellite node cluster) and placed
in SYS$SPECIFIC:[SNORT.ETC].
A SYS$STARTUP:SNORT$LOGICALS.COM will be created during installation.
The SNORT$LOGICALS.COM will define the following concealed system wide
logicals:
- SNORT$COMMON - Points to SYS$COMMON:[SNORT.]
- SNORT$SPECIFIC - Points to SYS$SPECIFIC:[SNORT.]
v) Snort� can be installed into a different directory other than the
default directory, by using the "/DESTINATION" qualifier along with
the "$product install SNORT". In this case too, the SNORT� specific files
will still be installed at SYS$SPECIFIC:[SNORT...]
In order to change the path of the Node specific files from
SYS$SPECIFIC:[SNORT...] to a different location say, DKA100:[SNORT]
do the following:
- Create a new directory DKA100:[SNORT]
- Edit SYS$STARTUP:SNORT$LOGICALS.COM and redefine the
SNORT$SPECIFIC to DKA100:[SNORT.].
$ define /system/trans=(concealed) snort$specific "DKA100:[SNORT.]"
- Note: SNORT$SPECIFIC should be defined to the absolute path.
Avoid using another logical in the path name.
1.4) Uninstalling Snort�:
------------------------
Perform a "$Prod remove SNORT" to uninstall Snort�.
Note:
1) Logs and alerts are not deleted during uninstall. You need to manually delete them.
2) A non interactive user "SNORT$USER" account created on the first run of SNORT�
will be deleted during un-installation.
------------------------------------------------------------
2.0) Running SNORT� V2.8-531A for HP OpenVMS
------------------------------------------------------------
The following runtime options of Snort� are supported on HP OpenVMS.
"-A" Set alert mode: fast, full, console, test or none (alert file alerts only)
"unsock" enables UNIX socket logging (experimental).
-b Log packets in tcpdump format (much faster!)
"-B" <mask> Obfuscated IP addresses in alerts and packet dumps using CIDR mask
-c <rules> Use Rules File <rules>
"-C" Print out payloads with character data only (no hex)
-d Dump the Application Layer
-e Display the second layer header info
-f Turn off fflush() calls after binary log writes
"-F" <bpf> Read BPF filters from file <bpf>
"-G" <0xid> Log Identifier (to uniquely id events for multiple snorts)
-h <hn> Home network = <hn>
"-H" Make hash tables deterministic.
"-I" Add Interface name to alert output
-k <mode> Checksum mode (all,noip,notcp,noudp,noicmp,none)
"-K" <mode> Logging mode (pcap[default],ascii,none)
-l <ld> Log to directory <ld>
"-M" Log messages to syslog (not alerts)
-n <cnt> Exit after receiving <cnt> packets
"-N" Turn off logging (alerts still work)
"-O" Obfuscate the logged IP addresses
-p Disable promiscuous mode sniffing
"-P" <snap> Set explicit snaplen of packet (default: 1514)
-q Quiet. Don't show banner and status report
-r <tf> Read and process tcpdump file <tf>
"-R" <id> Include 'id' in snort_intf<id>.pid file name
-s Log alert messages to syslog
"-S" <"n"="v"> Set rules file variable n equal to value v
"-T" Test and report on the current Snort configuration
"-U" Use UTC for timestamps
-v Be verbose
"-V" Show version number
"-X" Dump the raw packet data starting at the link layer
-x Exit if Snort configuration problems occur
-y Include year in timestamp in the alert and log files
"-Z" <file> Set the performonitor preprocessor file path and name
-? Show this information
<Filter Options> are standard BPF options, as seen in TCPDump
Longname options and their corresponding single char version
--logid <0xid> Same as "-G"
--perfmon-file <file> Same as "-Z"
--pid-path <dir> Specify the directory for the Snort PID file
--snaplen <snap> Same as "-P"
--help Same as -?
--version Same as "-V"
--alert-before-pass Process alert, drop, sdrop, or reject before
pass, default is pass before alert, drop,...
--treat-drop-as-alert Converts drop, sdrop, and reject rules
into alert rules during startup
--process-all-events Process all queued events (drop, alert,...),
default stops after 1st action group
--dynamic-engine-lib <file> Load a dynamic detection engine
--dynamic-engine-lib-dir <path> Load all dynamic engines from directory
--dynamic-detection-lib <file> Load a dynamic rules library
--dynamic-detection-lib-dir <path> Load all dynamic rules libraries from directory
--dump-dynamic-rules <path> Creates stub rule files of all loaded rules libraries
--dynamic-preprocessor-lib <file> Load a dynamic preprocessor library
--dynamic-preprocessor-lib-dir <path> Load all dynamic preprocessor libraries
from directory
--create-pidfile Create PID file, even when not in Daemon mode
--nolock-pidfile Do not try to lock Snort PID file
--disable-attribute-reload-thread Do not create a thread to reload the attribute table
--pcap-single <tf> Same as -r.
--pcap-file <file> file that contains a list of pcaps to read - read mode
is implied.
--pcap-list "<list>" a space separated list of pcaps to read - read mode
is implied.
--pcap-dir <dir> a directory to recurse to look for pcaps - read mode
is implied.
--pcap-filter <filter> filter to apply when getting pcaps from
file or directory.
--pcap-no-filter reset to use no filter when getting pcaps
from file or directory.
--pcap-loop <count> this option will read the pcaps specified on
command line continuously for <count> times.
A value of 0 will read until Snort is terminated.
--pcap-reset if reading multiple pcaps, reset snort to
post-configuration state before reading next pcap.
--pcap-show print a line saying what pcap is currently being read.
--exit-check <count> Signal termination after <count> callbacks
from pcap_dispatch(), showing the time it
takes from signaling until pcap_close() is called.
--conf-error-out Same as -x
--require-rule-sid Require that all snort rules have SID specified.
2.1) Running Snort� non-interactive(as a Daemon)
-----------------------------------------------
For running Snort� you need to login with "SYSTEM" user or any privileged account having
(IMPERSONATE,SYSNAM,SYSPRV,SETPRV,CMKRNL) privileges.
i) Define system wide logical for LIBZ_SHR32, run
$@sys$common:[libz]startup.com
Note: You can run this as a part of your OpenVMS
system startup procedure: sys$manager:SYSTARTUP_VMS.COM
ii) Run the SYS$STARTUP:SNORT$LOGICALS.COM to define the
Snort� logicals.
$ @SYS$STARTUP:SNORT$LOGICALS.COM
Note: You can run this as a part of your OpenVMS
system startup procedure: sys$manager:SYSTARTUP_VMS.COM
iii) Edit snort$common:[000000.etc]snort.conf for any snort� configuration changes if required.
Refer to the Snort� user manual for information on customizing snort.conf
iv) To customize your Snort� runtime options, please refer to the section
"Customizing run time options of snort�"
v) Startup the Snort� process by the below Command:
$ @snort$common:[com]SNORT$STARTUP.COM
This creates a detached Snort� process named SNORT_1.
Logs of the Snort� process is written into SNORT$SPECIFIC:[VAR.LOG.SNORT]snort_run.log
Note:
1) Snort� will create a non interactive user "SNORT$USER" with UIC [371,371] first time it is run.
If an user with UIC [371,371] already exists, SNORT$USER is created with the next available member number.
The SNORT_1 process will run under this user account.
2) You may want to review the security settings for this user account and adjust them for your needs
3) The un-installation of SNORT� will remove this user account.
2.2) Running Snort� interactive
------------------------------
You can also run snort� directly on DCL prompt. However care should be taken to ensure
that the correct directory paths are used on the command line as well as in /etc/snort.conf.
Incase of any errors in defining the correct directory path, you may encounter the
following error messages:
ERROR: Unable to open rules file "../etc/../rules/local.rules": no such file or directory.
Fatal Error, Quitting..
For running Snort� you need to login with "SYSTEM" user or any privileged account having
(IMPERSONATE,SYSNAM,SYSPRV,SETPRV,CMKRNL) privileges.
Define system wide logical for LIBZ_SHR32, run
$@sys$common:[libz]startup.com
Follow the instructions provided below to run Snort� on DCL:
i) $@SYS$COMMON:[SYS$STARTUP]SNORT$LOGICALS.COM
ii) $@SNORT$COMMON:[COM]SNORT$CMDLINE.COM
iii) $set def SNORT$COMMON:[BIN]
iv) Define symbol for snort.exe as:
$snort :== "$SNORT$COMMON:[BIN]snort.exe"
v) Run snort
Ex: a) $snort -"V"
-- To display the version number
b) $snort -c /snort$common/etc/snort.conf
-- To use snort.conf configuration
Note: Refer to the section "Use of Double quotes for uppercase arguments" for passing upper case arguments.
Alternately, if you have GNV installed on your system, you can run Snort� on GNV bash:
Execute the following to run Snort� on bash:
$@SYS$STARTUP:GNV$STARTUP.COM
$@GNU:[LIB]GNV_SETUP.COM
$@SYS$COMMON:[SYS$STARTUP]SNORT$LOGICALS.COM
$@SNORT$COMMON:[COM]SNORT$CMDLINE.COM
$set def SNORT$COMMON:[BIN]
$bash
bash$ export GNV_DISABLE_DCL_FALLBACK=1
bash$ snort <Options>
Ex: a) bash$ snort -V
-- To display the version number
b) bash$ snort -c /snort$common/etc/snort.conf
-- To use snort.conf configuration
Running Snort� on bash is similar to running on any other Operating Systems say Linux.
Note:
i) Some of the Snort� runtime arguments are not supported on HP OpenVMS.
Please refer to the section "Running SNORT� V2.8-531A for HP OpenVMS" for the list of
supported runtime options.
ii) Snort� retains case on gnv bash. There is no need of using double quotes for
uppercase arguments.
iii) Snort� requires a Unix style Posix root directory to be defined.
On OpenVMS root is identified by the logical SYS$POSIX_ROOT.
On running the GNV startup procedure SYS$STARTUP:GNV$STARTUP.COM a system wide
SYS$POSIX_ROOT logical is usually created as:
"SYS$POSIX_ROOT" = sys$sysdevice:[PSX$ROOT.]
The SNORT$CMDLINE.COM procedure above defines a process wide logical
SYS$POSIX_ROOT pointing to the Snort� directories.
Please logout of the terminal session (in which you invoke bash)
in order to clear this logical.
2.3) Stopping Snort� non-Interactive
-----------------------------------
i) Only one instance of Snort� running on the system
$ @snort$common:[com]SNORT$SHUTDOWN.COM
Stopping SNORT process SNORT_1
ii) Particular Snort� process
When running multiple instances of Snort�, multiple Snort� processes
are created with process name SNORT_1, SNORT_2, SNORT_3 etc.
To stop a particular instance of Snort� provide its process name
as argument to the shutdown procedure as follows
$@snort$common:[com]SNORT$SHUTDOWN.COM SNORT_3
Stopping SNORT� process SNORT_3
If a process named "SNORT_3" process is not running, then the following message
is displayed:
SNORT_3 is not running
2.4) Stopping Snort� interactive
-------------------------------
To stop Snort� running interactively on your screen, press Ctrl+C.
2.5) Installing and loading registered rules:
---------------------------------------------
SNORT� rulesets are downloadable from www.snort.org , some rulesets require a subscription to download.
To load the rulesets follow the steps:
i) Backup your snort� configuration file (snort.conf) before downloading the new rules.
$copy SNORT$COMMON:[ETC]SNORT.CONF SNORT$COMMON:[ETC]SNORT.CONF_BCKUP
ii) $set def snort$common:[000000]
iii) Download the rule .tar.gz on your local system
iv) Untar the rules using gunzip and tar into snort$common:[000000].
v) Upon untar�ing, the rules are copied into:
SNORT$COMMON:[ETC] , SNORT$COMMON:[RULES], SNORT$COMMON:[SO_RULES], SNORT$COMMON:[DOC] etc.
vi) Check for the "include $RULE_PATH/..." statements in the new SNORT$COMMON:[ETC]snort.conf.
In case there are any additional rules to be included add them into the
SNORT$COMMON:[ETC]SNORT.CONF_BCKUP
vii) Copy the SNORT.CONF_BCKUP to SNORT.CONF
$copy SNORT$COMMON:[ETC]SNORT.CONF_BCKUP; SNORT$COMMON:[ETC]SNORT.CONF;
viii) Refer to the section "Building and loading SO rules" to build dynamic rules.
ix) Test your configuration using "-T" runtime option
$snort "-T" -c /etc/snort.conf
For information on how to modify Snort� runtime options refer to the section
"Customizing run time options of snort�"
Note: Snort� process needs to be restarted for the new rules to be loaded.
2.5.1) Building and loading SO rules:
-------------------------------------
Some SNORT� rules are provided are in binary format (files with a ".so" extension)
These binary files can be dynamically loaded on a Unix based system by Snort�.
On OpenVMS, if you need these rules as well, you need to generate the shareable images(*_SHR.EXE) by compiling the sources
provided for these shareable images.
Prerequisites to build SO_RULES( Dynamic rules )
- HP I64VMS PERL V5.8-6 or later
- HP I64VMS GNV V2.1-3
- HP I64VMS C V7.3-18 or later
You can build dynamic rule libraries from the sources present in [.S0_RULES.SRC] by following these steps:
i) To build SO_RULES sources we require header files present in the Snort� sources.
Refer to the section "How to get Snort� sources" to copy the source files.
ii) Define the SNORT_ROOT logical by executing the following command procedure
present in the snort� sources
disk:[.snort_builds.SNORT-V0208-531.com]snort$build_setup.com
where �disk� is the device name where the snort� sources are extracted.
iii) Setup the PERL environment
a) define the PERL logicals to point the perl directory
Ex:
$define perl_root SYS$SYSDEVICE:[VMS$COMMON.PERL5_8_6.]
$define PERLSHR SYS$SYSDEVICE:[SYS0.SYSCOMMON.PERL5_8_6]PERLSHR.EXE
b) Copy the perl.exe to GNU:[BIN]
Ex:
$Copy SYS$SYSDEVICE:[SYS0.SYSCOMMON.PERL5_8_6]PERL.EXE;1 gnu:[bin]/lo
iv) Untar the ruleset referring to the section "Installing and loading registered rules"
The sources for dynamic rules are located at snort$common:[so_rules.src].
Set the default directory as below,
$set def snort$common:[so_rules.src]
v) For make utility to run successfully following dummy files need to be created in SNORT$COMMON:[so_rules.src].
$create multimedia_dummy.c
#include <stdio.h>
static void dummy_rule_to_compile()
{
}
press ctrl+z to save the file
$copy multimedia_dummy.c sql_dummy.c
$copy multimedia_dummy.c web-activex_dummy.c
$copy multimedia_dummy.c web-iis_dummy.c
$copy multimedia_dummy.c icmp_dummy.c
vi) Edit SNORT$COMMON:[so_rules.src]_meta.h to include sf_engine_apis.c
Add the below code at the start of the file,
#ifndef SF_ENGINE_APIS_VMS_
#define SF_ENGINE_APIS_VMS_
#include "sf_engine_apis.c"
#endif /* SF_ENGINE_APIS_VMS_ */
vii) Copy the VMS specific files required to build dynamic rules into
SNORT$COMMON:[SO_RULES.SRC]
$copy SNORT$COMMON:[SO_RULES]sf_engine_apis.c; SNORT$COMMON:[SO_RULES.SRC]sf_engine_apis.c;
$copy SNORT$COMMON:[SO_RULES]prebld_sorule.com; SNORT$COMMON:[SO_RULES.SRC]prebld_sorule.com;
$copy SNORT$COMMON:[SO_RULES]makefile.; SNORT$COMMON:[SO_RULES.SRC]makefile.;
viii) Modify [.so_rules.src]netbios_writex.c to comment including the header stdint.h.
Following is the difference.
OPNBAR$ diff netbios_writex.c;2
************
File SNORT$COMMON:[000000.so_rules.src]netbios_writex.c;2
32 /* #include <stdint.h> */
33 #include <stdlib.h>
******
File SNORT$COMMON:[000000.so_rules.src]netbios_writex.c;1
32 #include <stdint.h>
33 #include <stdlib.h>
************
Number of difference sections found: 1
Number of difference records found: 1
DIFFERENCES /MERGED=1-
SNORT$COMMON:[000000.so_rules.src]netbios_writex.c;2-
SNORT$COMMON:[000000.so_rules.src]netbios_writex.c;1
ix) Run the pre build command procedure.
$@SNORT$COMMON:[SO_RULES.SRC]prebld_sorule.com
This procedure compiles all the *_*.c source files.
x) Setup th GNV
$@SYS$STARTUP:GNV$STARTUP.COM
$@GNU:[LIB]GNV_SETUP.COM
xi) Redefine the SYS$POSIX_ROOT logical
$@SNORT$COMMON:[COM]SNORT$CMDLINE.COM
xii) Run make to build *_shr.exe dynamic rule libraries and also create the .RULES
$set def SNORT$COMMON:[SO_RULES.SRC]
$bash
bash$ export GNV_DISABLE_DCL_FALLBACK=1
bash$ make
bash$
xiii) Copy the dynamic rules into snort$common:[lib.snort_dynamicrules]
$copy snort$common:[000000.so_rules.src]*shr.exe; snort$common:[LIB.snort_dynamicrules]/lo
Note:
1) These rules WILL NOT WORK if the options "--enable-ipv6" has been used in the
configure arguments for your Snort� installation. Refer to the Readme provided
in the ruleset for more information.
This would have got extracted to SNORT$COMMON:[SO_RULES.SRC]README.;
when the rules set tar file is extracted.
By Default SNORT.EXE shipped is built with "--enable-ipv6".
You need to rebuild Snort� without "--enable-ipv6" configure argument for these
SO_RULES to work. Refer to the section "Building Snort� V2.8-531A on HP OpenVMS"
to build Snort�.
2) Changes may be required for building subsequent versions of rulesets.
2.6) Viewing SNORT� alert or log files
-------------------------------------
Log/alert files are created by default at SNORT$SPECIFIC:[000000.VAR.LOG.SNORT]
Naming conventions of the files are as follows,
Alert file --> alert.;1
Log file --> SNORT.LOG.XXXXXXXXXX;1
where XXXXXXXXXX is the Unix-style time stamp.
Note: To access the file SNORT.LOG.XXXXXXXXXX set the following process attribute
$ set process/parser=extended
You can override the default logging directory by using the -l <logdir> runtime option.
2.7) Logging alerts and messages into Syslog:
---------------------------------------------
This port of SNORT� for OpenVMS includes a wrapper over SYSLOG to allow logging of
all SNORT� messages into a local file. Other features of Syslog are not supported.
SNORT� logs alerts and messages of all severities (error, informational, fatal and critical)
to a single file:
snort$specific:[var.log.snort]syslog.log
Remote logging and other syslog features are not supported.
2.8) Customizing run time options of snort�:
-------------------------------------------
Default option after installation is to run Snort� as a Sniffer mode.
To run Snort� in different mode do the following:
Edit SNORT$COMMON:[COM]RUN_SNORT.COM to add/modify the Snort� runtime arguments
Ex: a) If you wish to read from a tcpdump log file, say snort.log.1234567, use
$snort -dv -r /snort$specific/var/log/snort/snort.log.1234567
b) If you wish to test you configuration modify use:
$snort "-T" -c /etc/snort.conf
Refer to SNORT$COMMON:[COM]RUN_SNORT.COM for more examples.
Refer to �Use of Double quotes for uppercase arguments� for passing upper case arguments.
For information on configuring snort.conf refer to the Snort� user manual.
Note: Ensure that only ONE Snort� command is active and the rest are commented out.
2.9) Use of Double quotes for uppercase arguments
--------------------------------------------------
To retain the case of arguments passed to Snort� we need to use double quotes
as shown in the following example.
Ex : snort "-V"
or
snort -"V"
For a complete list of arguments to be used with double quotes refer to the Snort� online help (snort --help)
2.10) Configure MySQL database logging:
---------------------------------------
i) Install JFP I64VMS MySQL
MySQL for OpenVMS can be downloaded from http://www.vmsmysql.org/
ZLIB is available at http://www.pi-net.dyndns.org/anonymous/kits/ia64/
Note: If your version of MySQL is not built with the latest SSL release V1.4-335,
you would be unable to start MySQL.
In that case you may use an older version of MySQL V4.1-14.
MySQL V4.1-14 is built using static SSL libraries.
ii) Follow the instructions provided in MySQL readme to configure and run MySQL
on your system.
iii) Create the SNORT� database:
$ mysql mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 20 to server version: 4.1.14-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> CREATE DATABASE snort;
Query OK, 1 row affected (0.17 sec)
iv) Add localhost and remote entries for SNORTUSR in the USER table.
The following MySQL statements grant necessary privileges to SNORTUSR,
$mysql> grant create, insert, select, delete, update on snort.* to snortusr@localhost;
$mysql> grant create, insert, select, delete, update on snort.* to snortusr@�%�;
v) Confirm that the snortusr entries have been inserted into the table:
mysql> select user , host from user where User='snortusr';
+----------+-----------+
| user | host |
+----------+-----------+
| snortusr | % |
| snortusr | localhost |
+----------+-----------+
2 rows in set (0.00 sec)
vi) Update the password for SNORTUSR
mysql> update user set Password=PASSWORD('mypassword') where User='snortusr';
mysql> flush privileges;
vii) select the SNORT� database
mysql> use snort
Database changed
viii) Execute the MySQL script snort$common:[schemas]CREATE_MYSQL.; to create all the
Snort� tables.
mysql> source snort$common:[schemas]CREATE_MYSQL
mysql> exit
ix) Verify that your password and/or host changes took effect
by logging into the database using the following command
$mysql -"D" snort -u snortusr -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 21 to server version: 4.1.14-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
Configure one of the following options in SNORT.CONF to activate logging into MySQL.
a) For logging to a Local host, use
output database: log, mysql, user=snortusr password=<YourPassword> dbname=snort host=localhost
b) For logging to a Remote host, use
output database: log, mysql, user=snortusr password=<YourPassword> dbname=snort host=<ipv4 addr>
You may want to limit the access to snort.conf to only specific users. Ensure that �SNORT$USER� account
has RE access to snort.conf.
2.11) Running multiple instance of Snort�:
-----------------------------------------
i) Run the startup procedure
$ @SNORT$COMMON:[COM]SNORT$STARTUP.COM
creates the 1st snort� process SNORT_1
ii) Edit SNORT$COMMON:[COM]RUN_SNORT.COM to add/modify the Snort� runtime arguments with
which you wish to run another instance of Snort�
Ex: a) If you wish to read from a tcpdump log file, say snort.log.1234567, use
$snort -dv -r /snort$specific/var/log/snort/snort.log.1234567
b) If you wish to sniff another interface modify
$snort -v -i <interface2 name>
At this point of time due to the limitation in OpenVMS port of libpcap,
changing interface DOESNOT work.
By default Snort� would listen on all the configured interfaces of the system.
Please refer to the section "Limitations/Features not supported" for more details.
For more examples on Snort� runtime arguments refer to the section "Customizing run time options of snort�"
Note: Ensure that only one Snort� command is active and the rest are commented out.
iii) Run the startup procedure again
$ @SNORT$COMMON:[COM]SNORT$STARTUP.COM
creates a 2nd snort process SNORT_2
Repeat Steps ii) and iii) for running more instances of Snort�.
Refer to the section "Stopping Snort� non-interactive" on how to stop a particular Snort� process.
2.12) Loading dynamic libraries:
--------------------------------
Dynamic libraries are installed in SNORT$COMMON:[LIB] and named as *_shr.exe
To load a dynamic library use the following in the SNORT.CONF file
dynamicengine /lib/snort_dynamicengine/libsf_engine_shr.exe
dynamicpreprocessor file <filename>
Ex: dynamicpreprocessor file /lib/snort_dynamicpreprocessor/libsf_dce2_preproc_shr.exe
You can also load all the libraries in a directory using the following:
dynamicdetection directory <dirpath>
Ex: dynamicdetection directory /so_rules/src
Alternately the following runtime options can be used to load dynamic libraries
--dynamic-engine-lib <file>
--dynamic-engine-lib-dir <path>
--dynamic-detection-lib <file>
--dynamic-detection-lib-dir <path>
--dynamic-preprocessor-lib <file>
--dynamic-preprocessor-lib-dir <path>
2.13) Rules vs Memory
---------------------
The memory used by the Snort� process is directly correlated to the number of rules loaded.
We have performed tests with different number of rules and the results are as follows,
a) With 242 rules loaded,
total memory used by Snort� process is 8448 pages
b) With 2912 rules loaded,
total memory used by Snort� process is 15017 pages
c) With 5744 rules loaded,
total memory used by Snort� process is 37697 pages
To allow scalability for newer rules provided by www.snort.org in the future,
the PAGE_FILE for the Snort� process is set to a sufficient high value of 1500000 by default.
However you can the allocate higher memory to your Snort� process by modifying the /PAGE_FILE field
in the following command in SNORT$COMMON:[000000.COM]SNORT$STARTUP.COM
$ run/ detach sys$system:loginout.exe/uic=[snort$user] /process_name="''procname'" -
/output=snort$specific:[000000.var.log.snort]snort_run.log -
/err=snort$specific:[000000.var.log.snort]snort_run_err.log -
/PAGE_FILE=1500000 -
/input=snort$common:[com]run_snort.com
2.14) Limitations/Features not supported:
-----------------------------------------
i) Listening on a particular interface -i <interfacename>
Due to a limitation in the OpenVMS port of libpcap, providing a specific interface to listen on DOES NOT work.
Hence -i option to listen on a particular interface is not supported.
By default Snort� listens on all the configured interfaces on the system.
ii) Daemon "-D"
"-D" option of running Snort� as a daemon is not supported.
However refer to the section "Running Snort� non-interactive(as a Daemon)" to know
more about running Snort� in Daemon mode
iii) Inline
Snort� Inline obtains packets from iptables instead of libpcap
and then uses new rule types to help iptables pass or drop packets
based on Snort� rules.
As there is no support for iptables on OpenVMS, inline mode is
disabled on OpenVMS SNORT�.
Following related options are ignored
-Q
--disable-inline-initialization
React and flexresponse features are also not supported for the same reason.
iv) MPLS
Multicast protocol layer support is disabled as OpenVMS TCPIP does not support MPLS.
Options ignored are:
--enable-mpls-multicast
--enable-mpls-overlapping-ip
--max-mpls-labelchain-len
v) UIC/GID of the snort� process(-g, -u)
Snort� by default runs under the user SNORT$USER. You can however run Snort� with a
different user by modifying SNORT$COMMON:[COM]SNORT$STARTUP.COM
To run snort� with a different user modify /uic=[snort$user] in the following command
in the startup procedure SNORT$COMMON:[COM]SNORT$STARTUP.COM
$ run/ detach sys$system:loginout.exe/uic=[snort$user] /process_name="''procname'" -
/output=snort$specific:[000000.var.log.snort]snort_run.log -
/err=snort$specific:[000000.var.log.snort]snort_run_err.log -
/PAGE_FILE=1500000 -
/input=snort$common:[com]run_snort.com
vi) ODBC, Postgresql, Pgsql, Oracle database logging
Snort� V2.8-531A is built with only enable-MySQL and provides logging into MySQL database.
Snort� is not built to enable ODBC, Postgresql, Pgsql or Oracle logging.
vii) Aruba Output plug-ins
Snort� V2.8-531A is not built to support Aruba output plug-in.
viii) Prelude
Prelude is not ported on OpenVMS. Prelude logging is not enabled on Snort� V2.8-531A.
The following runtime options of Snort� are unsupported and not recommended to be used.
-L --> logging into different tcpdump file is not supported on OpenVMS. By default log files
are named as SNORT.LOG.XXXXXXXXXX;1
-m --> By default OpenVMS creates log files with following protection
System:RWED, Owner:RWED, Group:RE, World:
-t --> By default the root is defined by the process-wide logical SYS$POSIX_ROOT.
$ sh log SYS$POSIX_ROOT
(LNM$PROCESS_TABLE)
"SYS$POSIX_ROOT" = "Disk:[SYS0.SNORT.]"
= "Disk:[SYS0.SYSCOMMON.SNORT.]"
Where "Disk" is the diskname
2.15) Trouble shooting snort�
----------------------------
1) When I run Snort� I get the following error
i) LIBZ_SHR32 error
%DCL-W-ACTIMAGE, error activating image LIBZ_SHR32
-CLI-E-IMAGEFNF, image file not found OPNBAR$DKA0:[SYS0.SYSCOMMON.][SYSLIB]LIBZ_SHR32.EXE;
Cause : Logical for LIBZ_SHR32 shareable is not defined
Solution : Run the following to define system wide logical for LIBZ_SHR32
Define system wide logical for LIBZ_SHR32, run
$@sys$common:[libz]startup.com
ii) PCRE_SHR error
%DCL-W-ACTIMAGE, error activating image PCRE_SHR
-CLI-E-IMAGEFNF, image file not found OPNBAR$DKA0:[SYS0.SYSCOMMON.][SYSLIB]PCRE_SHR.EXE;
Cause : Logical for PCRE_SHR.EXE is not defined
Solution : Ensure that the logical PCRE_SHR pointing to the shareable is set.
Ex : $define pcre_shr SNORT$COMMON:[LIB]PCRE_SHR.EXE
2) Snort� exits with the following error
***
*** interface device lookup found: IE0
***
Initializing Network Interface IE0
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
Cause : To open the connection for the network interface we need CMKRNL priv.
The current user logged in does not have sufficient privileges.
Solution : Login using "SYSTEM" user or any privileged account having
(IMPERSONATE,SYSNAM,SYSPRV,SETPRV,CMKRNL) privileges and run SNORT�.
3) Snort� exits with the following error
ERROR: Stat check on log dir failed: no such file or directory.
Fatal Error, Quitting..
Solution : Make sure the log dir specified in the command line followed by -l exists.
Ex : snort -v -l ./log
Look for [.log] in the current dir.
4) Snort� exits with the following error
ERROR: log_tcpdump: Failed to open log file "[.log]/snort.log.1271149180": no such file or directory
Fatal Error, Quitting..
Cause of error : Running snort� using VMS style dir paths
Ex : snort -v -l [.log]
Solution : Always use Unix style Dir paths as arguments while running Snort�.
5) Snort� exits with the following error while loading dynamic libraries
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
ERROR: Failed to find LibVersion() function in /usr/local/lib/snort_dynamicengine/libsf_engine.so:
%LIB-E-KEYNOTFOU, key not found in tree
Fatal Error, Quitting..
Cause of error : The dynamic library is built with warnings/errors
Solution : Rebuilt the dynamic library resolving all warnings/errors
6) Snort� exits with the following error while loading rules
i) ERROR: (../rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor
use 'rawbytes' with "uricontent".
Fatal Error, Quitting..
ii) ERROR: ../rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi"
Fatal Error, Quitting..
Solution : Comment out the above 2 rules in Snort$specific:[rules]web-misc.rules and run
Snort� again.
---------------------------------------------------------
3.0) Building Snort� V2.8-531A on HP OpenVMS
---------------------------------------------------------
3.1) How to get Snort� sources:
------------------------------
Download the source kit from the following location:
http://h71000.www7.hp.com/openvms/products/snort/index.html
i) Expand the self-extracting kit to create the .BCK
$ RUN SNORT-V0208-531A_SRC.ZIPEXE
ii) Extract the .bck
$BACKUP SNORT-V0208-531A.BCK/SAV disk:[*...]
Where disk is the disk device where you want to unpack the sources.
This process creates a directory called [SNORT_BUILDS] and then unpacks the build
tree into that directory.
The final directory structure is similar to the following:
disk:[SNORT_BUILDS.SNORT-V0208-531...]
3.2) Prerequisites to build Snort� V2.8-531A on HP OpenVMS
-------------------------------------------------------
Operating System/Architecture:
- HP IA64VMS OPENVMS V8.3-1H1 onwards
Disk:
- ODS-5 disk
Build tools:
- HP I64VMS GNV V2.1-3
- HP I64VMS C V7.3-18 or later
- HP I64VMS CXX S7.3-35
Other Products:
- HP I64VMS SSL V1.4-335 or later (If MySQL logging is required)
- HP I64VMS TCPIP V5.6-9ECO5 or later
- JFP I64VMS MYSQL V4.1-14 or later version of MYSQL051 built with SSL V1.4-335
(If MySQL logging is required)
- JFP I64VMS ZLIB V1.2-3 or later (If MySQL logging is required)
- GNU Flex v2.5.4
- GNU Bison v1.35
- HP I64VMS PERL V5.8-6 or later - required only to build dynamic rules (so_rules)
For improved performance install the latest TCPIP, Update and CRTL kits.
3.3) Setting up the Snort� on OpenVMS build environment
------------------------------------------------------
Execute the following to setup the build environment
i) Download Flex v2.5.4 and Bison v1.35 from OpenVMS freeware.
ii) Copy flex.exe to [.VMS_SPECIFIC]
$copy flex.exe diskname:[snort_builds.SNORT-V0208-531.vms_specific]flex.exe
where diskname is the device name
iii) Copy bison.; and bison.simple to [.VMS_SPECIFIC]
$copy bison.;, bison.simple diskname:[snort_builds.SNORT-V0208-531.vms_specific]
where diskname is the device name
iv) Run the following command procedure to setup the Snort� build environment.
@diskname:[snort_builds.SNORT-V0208-531.com]snort$build_setup.com
where diskname is the device name
v) Setup the GNV by running the following
$@SYS$STARtUP:GNV$STARTUP.COM
$@GNU:[LIB]GNV_SETUP.COM
vi) To build Snort� using "--with-mysql" configure option, define the MYSQL051_ROOT logical.
Run [.vms]logicals.com in the MySQL installation directory to define it.
Ex: $@sys$sysdevice:[SYS0.SYSCOMMON.MYSQL051.vms]logicals.com "/SYSTEM/EXEC"
3.4) Start building Snort� V2.8-531A on OpenVMS
--------------------------------------------
i) $set def snort_root:[000000]
ii) Run bash
$bash
iii) Disable DCL fallback by entering the following
bash$ export GNV_DISABLE_DCL_FALLBACK=1
iv) Run configure with options of your choice as shown below,
bash$ ./configure CPPFLAGS=-I/SNORT_ROOT/VMS_SPECIFIC <configure options>
Ex:
bash$ ./configure CPPFLAGS=-I/SNORT_ROOT/VMS_SPECIFIC \
--enable-dependency-tracking --enable-shared --enable-static \
--enable-fast-install --disable-libtool-lock --enable-dynamicplugin \
--enable-ipv6 --enable-targetbased --enable-decoder-preprocessor-rules \
--enable-ppm --enable-timestats --enable-perfprofiling --enable-pthread \
--enable-ppm-test --enable-reload --enable-reload-error-restart \
--with-mysql --with-mysql-includes=/MYSQL051_ROOT/000000/include \
--with-mysql-libraries=/MYSQL051_ROOT/000000/vms
bash$./configure --help
lists all the configure options
Note : Please refer to the section "Unsupported Snort� options on HP OpenVMS" for the list of
options not supported on OpenVMS
Configure creates the makefiles on successful completion.
v) Run make to start building snort�
bash$ cd /snort_root/000000/src
bash$ make
Note: Gnv make on OpenVMS is known to have problem in running recursively beyond the order of 5
inner loops. As a result you may encounter errors at some directories while building Snort�.
Following are the workarounds that could be used.
1) make exits with the following error while making /snort_root/src/dynamic-plugins/sf_engine
make all-recursive
make[5]: Entering directory `/snort_root/src/dynamic-plugins/sf_engine'
/tmp/make003200: /gnu/bin/sed: normal successful completion
(null)
Making in examples
/tmp/make003200: /gnu/bin/make: normal successful completion
(null)
make[5]: *** [all-recursive] Error 1
make[5]: Leaving directory `/snort_root/src/dynamic-plugins/sf_engine'
make[4]: *** [all] Error 2
make[4]: Leaving directory `/snort_root/src/dynamic-plugins/sf_engine'
make[3]: *** [all-recursive] Error 1
Workaround to be used:
bash$ cd /snort_root/src/dynamic-plugins
bash$ make
bash$ cd /snort_root/src
bash$ make
2) make exits with the following error while making /snort_root/src/dynamic-preprocessors/ftptelnet
make[4]: Entering directory `/snort_root/src/dynamic-preprocessors/ftptelnet'
make[5]: Entering directory `/snort_root/src/dynamic-preprocessors/ftptelnet'
sh ../../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I../../.. -I../include -I./includes -ISNORT_ROOT/VMS_SPECI
FIC -DDYNAMIC_PLUGIN -DSUP_IP6 -DTARGET_BASED -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR -DTIMESTATS -DPERF_PROFILING -DDEBUG
-DPROFILE -DPPM_TEST -DSNORT_RELOAD -I/MYSQL051_ROOT/000000/include -DENABLE_MYSQL -g -names_as_is_short -auto_symvec -O0 -c -o ftp_bo
unce_lookup.lo ftp_bounce_lookup.c
../../../libtool: /gnu/bin/sed: normal successful completion
(null)
../../../libtool: /gnu/bin/tr: normal successful completion
(null)
..
..
../../../libtool: /gnu/bin/sed: normal successful completion
(null)
: compile: cannot determine name of library object from `'
make[5]: *** [ftp_bounce_lookup.lo] Error 1
make[5]: Leaving directory `/snort_root/src/dynamic-preprocessors/ftptelnet'
make[4]: *** [all-recursive] Error 1
make[4]: Leaving directory `/snort_root/src/dynamic-preprocessors/ftptelnet'
make[3]: *** [all] Error 2
make[3]: Leaving directory `/snort_root/src/dynamic-preprocessors/ftptelnet'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/snort_root/src/dynamic-preprocessors'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/snort_root/src/dynamic-preprocessors'
make: *** [all-recursive] Error 1
Workaround to be used:
bash$ cd /snort_root/src/dynamic-preprocessors
bash$ make
bash$ cd /snort_root/src
bash$ make
Make would run successfully to create Snort� executable (snort.;)
Snort� is known to build with the following warnings which do not have any impact on running the
application. These warnings may be ignored
? cc: Warning: library "socket" not found
? cc: Warning: library "nsl" not found
? cc: Warning: library "m" not found
? cc: Warning: library "dl" not found
%ILINK-W-COMPWARN, compilation warnings
module: snort
file: SNORT_ROOT:[src]snort.o;1
%ILINK-W-COMPWARN, compilation warnings
module: snprintf
file: SNORT_ROOT:[src]snprintf.o;1
%ILINK-W-COMPWARN, compilation warnings
module: snort_httpinspect
file: SNORT_ROOT:[src.preprocessors]libspp.olb;1
%ILINK-W-COMPWARN, compilation warnings
module: sftarget_reader
file: SNORT_ROOT:[src.target-based]libtarget_based.olb;1
3.5) Building Syslog for Snort�:
-------------------------------
Syslog facility is not available on OpenVMS. This port of SNORT� for OpenVMS includes a wrapper
over SYSLOG to allow logging of all SNORT� messages into a local file. Other features of Syslog
are not supported.
Source kit for Snort� on OpenVMS provides the syslog.olb library. The library will be directly linked with the snort�
executable. The sources for the Syslog on OpenVMS are not rebuilt while building Snort�.
To build Syslog yourself, execute the following commands on GNV.
bash$ cd /snort_root/vms_specific
bash$ gcc -g -source_listing -names_as_is_short -auto_symvec -O0 -c syslog.c -ISNORT_ROOT/VMS_SPECIFIC
bash$ ar cru syslog.olb syslog.o
3.6) Warnings to be ignored during build
----------------------------------------
1) While running configure.; you would come across the following errors on libpcre and libpcap.
These errors could be ignored. For OpenVMS we set the libpcre and libpcap libraries at a later
point of execution.
checking for pcre_compile in -lpcre... no
ERROR! Libpcre library not found.
Get it from http://www.pcre.org
no
ERROR! Libpcre library version >= 6.0 not found.
Get it from http://www.pcre.org
.
.
.
checking for pcre_compile in -lpcre... no
ERROR! Libpcre library not found.
Get it from http://www.pcre.org
no
ERROR! Libpcre library version >= 6.0 not found.
Get it from http://www.pcre.org
2) Following warnings are displayed while building .la libraries which may be ignored.
*** Warning: Linking the shared library libsf_smtp_preproc.la against the
*** static library /SNORT_ROOT/vms_specific/pcrelib.olb is not portable!
*** Warning: Linking the shared library libsf_smtp_preproc.la against the
*** static library /SNORT_ROOT/vms_specific/syslog.olb is not portable!
*** Warning: Linking the shared library libsf_smtp_preproc.la against the
*** static library /MYSQL051_ROOT/vms/lib/mysqlclient_upper.olb is not portable!
3.7) Unsupported Snort� options on HP OpenVMS:
---------------------------------------------
i) MPLS and GRE
Multicast protocol layer support and Generic routing Encapsulation protocols are not
supported on OpenVMS TCPIP. Snort� will not build with the following options
--enable-gre
--enable-mpls
ii) Inline
Snort� Inline obtains packets from iptables instead of libpcap and then uses new rule
types to help iptables pass or drop packets based on Snort� rules.
As there is no support for iptables on VMS, the following options are not supported on
OpenVMS Snort� V2.8-531A
Snort� may not build with the following options
--enable-inline
--enable-ipfw
--enable-flexresp
--enable-flexresp2
--with-libipq-includes=DIR
--with-libipq-libraries=DIR
--enable-react
iii) Aruba and Prelude
We have not tested with Aruba and Prelude output plugins. The following are unsupported:
--enable-aruba
--enable-prelude
--with-libprelude-prefix=PFX
iv) External libraries
The following libraries are not ported on OpenVMS.
Use the following options to build Snort� may result in error.
--with-libpfring-includes=DIR
--with-libpfring-libraries=DIR
--with-libnet-includes=DIR
--with-libnet-libraries=DIR
--with-dnet-includes=DIR
--with-dnet-libraries=DIR
v) Databases
SNORT� on OpenVMS has not been configured to compile with the following databases:
--with-odbc=DIR
--with-postgresql=DIR
--with-pgsql-includes=DIR
--with-oracle=DIR
vi) In addition the following options are not tested/supported
--enable-64bit-gcc
--enable-linux-smp-stats
--disable-corefiles
--with-tags[=TAGS]
3.8) Trouble shooting build
---------------------------
For information of trouble shooting while running snort� refer to the section
"Trouble shooting snort�".
i) While running configure I get the following errors
%DCL-W-ACTIMAGE, error activating image SYS$COMMON:[SYSEXE]DCL.EXE
-CLI-E-IMGNAME, image file SUMMER$DKA0:[SYS0.SYSCOMMON.][SYSEXE]DCL.EXE
-SYSTEM-F-ACCVIO, access violation, reason mask=2C, virtual address=000000007FFD1160, PC=000000000000001A, PS=7FF93EA5
Cause : GNV_DISABLE_DCL_FALLBACK env variable is not defined
Solution : Define the variable as below on bash
bash$export GNV_DISABLE_DCL_FALLBACK=1
ii) Snort� executable builds with errors showing undefined symbols in mysqlclient_upper.olb
as shown below,
%ILINK-E-NUDFSYMS, 2 undefined symbols:
%ILINK-I-UDFSYM, MY_TIME
%ILINK-I-UDFSYM, THD_LIB_DETECTED
%ILINK-W-USEUNDEF, undefined symbol MY_TIME referenced
section: $CODE$
offset: %X0000000000000270 slot: 2
module: CLIENT
file: MYSQL051_ROOT:[vms.lib]mysqlclient_upper.olb;1
%ILINK-W-USEUNDEF, undefined symbol MY_TIME referenced
section: $CODE$
offset: %X00000000000002F0 slot: 2
module: CLIENT
file: MYSQL051_ROOT:[vms.lib]mysqlclient_upper.olb;1
%ILINK-W-USEUNDEF, undefined symbol THD_LIB_DETECTED referenced
section: $CODE$
offset: %X0000000000000000 slot: 1
module: MY_THR_INIT
file: MYSQL051_ROOT:[vms.lib]mysqlclient_upper.olb;1
make[1]: *** [snort] Error 2
make[1]: Leaving directory `/snort_root/src'
make: *** [all-recursive] Error 1
Cause : The client libraries shipped with your version of MySQL for OpenVMS is known
to result in undefined symbols for MY_TIME and THD_LIB_DETECTED at linktime.
Solution : Download the client libraries present in the following link
http://www.pi-net.dyndns.org/anonymous/kits/ia64/mysqlclient05122_upd1.zip
Perform the following to save the libraries at MYSQL051_ROOT:[VMS.LIB]
$copy mysqlclient05122_upd1.zip MYSQL051_ROOT:[VMS.LIB]
$set def MYSQL051_ROOT:[VMS.LIB]
$unzip mysqlclient05122_upd1.zip
3.9) Source listings and Map files
----------------------------------
Source Listings are generated by default. Mapping files have the
following nomenclature *_symvec.MAP.
Ex : libsf_engine_shr_symvec.MAP
3.10) How to test your Snort� build
----------------------------------
i) $@snort_root:[000000.com]snort$post_build.com
ii) Run snort�
Ex: $snort "-V"
3.11) How to create PCSI kit for Snort� on HP OpenVMS:
-----------------------------------------------------
Once you have tested your latest build. Follow the steps mentioned below to
generate a PCSI kit of Snort�.
i) $set def SNORT_ROOT:[000000.kit]
ii) Copy all the kit files into a directory. Run snort$copy_kitfiles.com to copy the files
$@snort$copy_kitfiles.com
iii) Run snort$build_kit.com to generate the PCSI kit.
$@snort_root:[000000.kit]snort$build_kit.com
This generates HP-I64VMS-SNORT-V0208-531A-1.PCSI and
HP-I64VMS-SNORT-V0208-531A-1.PCSI$COMPRESSED kits.
iv) Run the snort$del_kitfiles.com procedure to delete the kit files copied earlier.
$@snort$del_kitfiles.com
Note: The above command procedures provided were used to build the PCSI kit
HP-I64VMS-SNORT-V0208-531A-1.PCSI$COMPRESSED.
However you may modify commands to add/remove any files in HP-I64VMS-SNORT-V28531A.PCSI$DESC and
snort$copy_kitfiles.com if needed.
3.12) Building Snort� in debug mode
----------------------------------
Run configure using --enable-debug along with other options.
A debug image of snort� is built using the above option. Mapping, DSF and listing files are created.
You can also enable Snort� debug traces by setting the logical SNORT_DEBUG.
Ex : To print all debug traces,
$define/sys SNORT_DEBUG 4294967295
Alternately on GNV
bash$export SNORT_DEBUG=4294967295
Please refer to the header Decode.h for complete list of values SNORT_DEBUG can be set to
display various levels of debugging traces.
3.13) How to run snort� in debug mode
------------------------------------
i) @snort_root:[000000.com]snort_post_build.com
ii) Run snort� with the runtime arguments of your choice.
Ex : $snort "-V"
OpenVMS I64 Debug64 Version X8.3-015
%DEBUG-I-INITIAL, Language: C, Module: snort
%DEBUG-I-NOTATMAIN, Type GO to reach MAIN program
DBG>