This document explains in detail how to Install, Run and Build SNORTŪ V2.8-531A on HP OpenVMS. You can also find this document at SNORT$COMMON:[DOC]snort_vms_readme.txt Đ Copyright 2010 Hewlett-Packard Development Company, L.P. Snort is a registered trademark of Sourcefire, Inc. Table of contents: ------------------ 1.0) SNORTŪ V2.8-531A for HP OpenVMS 1.1) Pre-requisites to Install SNORTŪ for OpenVMS 1.2) Compile time features enabled by SnortŪ 1.3) Installing SnortŪ 1.4) Uninstalling SnortŪ 2.0) Running SNORTŪ V2.8-531A for HP OpenVMS 2.1) Running SnortŪ non-interactive (as a Daemon) 2.2) Running SnortŪ interactive 2.3) Stopping SnortŪ non-interactive 2.4) Stopping SnortŪ interactive 2.5) Installing and loading registered rules 2.5.1) Building and loading SO rules 2.6) Viewing SNORTŪ alert or log files 2.7) Logging alerts and messages into Syslog 2.8) Customizing run time options of snortŪ 2.9) Use of Double quotes for uppercase arguments 2.10) Configure MySQL database logging 2.11) Running multiple instance of SnortŪ 2.12) Loading dynamic libraries 2.13) Rules vs Memory 2.14) Limitations/Features not supported 2.15) Trouble shooting snortŪ 3.0) Building SnortŪ V2.8-531A on HP OpenVMS 3.1) How to get SnortŪ sources 3.2) Prerequisites to build SnortŪ V2.8-531A on HP OpenVMS 3.3) Setting up the SnortŪ on OpenVMS build environment 3.4) Start building SnortŪ V2.8-531A on OpenVMS 3.5) Building Syslog for SnortŪ 3.6) Warnings to be ignored during build 3.7) Unsupported SnortŪ options on HP OpenVMS 3.8) Trouble shooting build 3.9) Source listings and Map files 3.10) How to test your SnortŪ build 3.11) How to create PCSI kit for SnortŪ on HP OpenVMS 3.12) Building SnortŪ in debug mode 3.13) How to run snortŪ in debug mode ----------------------------------------------------------- 1.0) SNORTŪ V2.8-531A for HP OpenVMS ----------------------------------------------------------- SnortŪ is an open source network intrusion detection and prevention system. The current version of SNORTŪ, V2.8-531A, for OpenVMS is based on SnortŪ V2.8.5.3. For more information on SNORTŪ, visit: http://www.snort.org/ 1.1) Prerequisites to Install SNORTŪ For OpenVMS: ------------------------------------------------ Operating System/Architecture: - HP IA64VMS OPENVMS V8.3-1H1 onwards Other Products: - HP I64VMS SSL V1.4-335 - HP I64VMS TCPIP V5.6-9ECO5 or later - JFP I64VMS MYSQL V4.1-14 or later version of MYSQL051 built with SSL V1.4-335 (If MySQL logging is required) - JFP I64VMS ZLIB V1.2-3 or later Disk: - ODS-5 disk Prerequisites to build SO_RULES ( Dynamic rules ) - HP I64VMS PERL V5.8-6 or later - HP I64VMS GNV V2.1-3 - HP I64VMS C V7.3-18 or later SnortŪ for OpenVMS is not supported on any third-party TCP/IP network product such as MultiNet or TCPware from Process Software Corporation. For improved performance install the latest TCPIP, Update and CRTL kits. 1.2) Compile time features enabled by SnortŪ: -------------------------------------------- The following compile time features are enabled at the time of running configure: i) IPV6 ii) Dynamic Plugins iii) Target-based iv) Decoder-preprocessor-rules v) Performance monitor vi) Performance profiling vii) Timestat statistics viii) Reload-on-error feature ix) Logging into MySQL database snort.exe has been built with the following options: ./configure --enable-dependency-tracking --enable-shared --enable-static \ --enable-fast-install --disable-libtool-lock --enable-dynamicplugin \ --enable-ipv6 --enable-targetbased --enable-decoder-preprocessor-rules \ --enable-ppm --enable-timestats --enable-perfprofiling --enable-pthread \ --enable-ppm-test --enable-reload --enable-reload-error-restart \ --with-mysql --with-mysql-includes=/MYSQL051_ROOT/000000/include \ --with-mysql-libraries=/MYSQL051_ROOT/000000/vms \ CPPFLAGS=-I/SNORT_ROOT/VMS_SPECIFIC OpenVMS port of PCRE-7.8 is used to build SNORTŪ V2.8-531A 1.3) Installing SnortŪ: ---------------------- i) Download the kit from: http://h71000.www7.hp.com/openvms/products/snort/index.html To download the SnortŪ pcsi kit from the OpenVMS web site, fill out and submit the "SnortŪ for OpenVMS registration" form at the above URL. ii) Copy the self extracting file to the local system. iii) Expand the self-extracting file $ RUN HP-I64VMS-SNORT-V0208-531A.ZIPEXE iv) Perform a "$product install SNORT". SnortŪ will now be installed at the following locations: - SYS$COMMON:[SNORT...] - Will have the SnortŪ common files - SYS$SPECIFIC:[SNORT...] - Initially will have empty directory tree. - The SNORTŪ node specific files like logs get stored here. The SNORTŪ configuration files which are present in SYS$COMMON:[SNORT.ETC] can be modified for a specific node (helpful in the case of satellite node cluster) and placed in SYS$SPECIFIC:[SNORT.ETC]. A SYS$STARTUP:SNORT$LOGICALS.COM will be created during installation. The SNORT$LOGICALS.COM will define the following concealed system wide logicals: - SNORT$COMMON - Points to SYS$COMMON:[SNORT.] - SNORT$SPECIFIC - Points to SYS$SPECIFIC:[SNORT.] v) SnortŪ can be installed into a different directory other than the default directory, by using the "/DESTINATION" qualifier along with the "$product install SNORT". In this case too, the SNORTŪ specific files will still be installed at SYS$SPECIFIC:[SNORT...] In order to change the path of the Node specific files from SYS$SPECIFIC:[SNORT...] to a different location say, DKA100:[SNORT] do the following: - Create a new directory DKA100:[SNORT] - Edit SYS$STARTUP:SNORT$LOGICALS.COM and redefine the SNORT$SPECIFIC to DKA100:[SNORT.]. $ define /system/trans=(concealed) snort$specific "DKA100:[SNORT.]" - Note: SNORT$SPECIFIC should be defined to the absolute path. Avoid using another logical in the path name. 1.4) Uninstalling SnortŪ: ------------------------ Perform a "$Prod remove SNORT" to uninstall SnortŪ. Note: 1) Logs and alerts are not deleted during uninstall. You need to manually delete them. 2) A non interactive user "SNORT$USER" account created on the first run of SNORTŪ will be deleted during un-installation. ------------------------------------------------------------ 2.0) Running SNORTŪ V2.8-531A for HP OpenVMS ------------------------------------------------------------ The following runtime options of SnortŪ are supported on HP OpenVMS. "-A" Set alert mode: fast, full, console, test or none (alert file alerts only) "unsock" enables UNIX socket logging (experimental). -b Log packets in tcpdump format (much faster!) "-B" Obfuscated IP addresses in alerts and packet dumps using CIDR mask -c Use Rules File "-C" Print out payloads with character data only (no hex) -d Dump the Application Layer -e Display the second layer header info -f Turn off fflush() calls after binary log writes "-F" Read BPF filters from file "-G" <0xid> Log Identifier (to uniquely id events for multiple snorts) -h Home network = "-H" Make hash tables deterministic. "-I" Add Interface name to alert output -k Checksum mode (all,noip,notcp,noudp,noicmp,none) "-K" Logging mode (pcap[default],ascii,none) -l Log to directory "-M" Log messages to syslog (not alerts) -n Exit after receiving packets "-N" Turn off logging (alerts still work) "-O" Obfuscate the logged IP addresses -p Disable promiscuous mode sniffing "-P" Set explicit snaplen of packet (default: 1514) -q Quiet. Don't show banner and status report -r Read and process tcpdump file "-R" Include 'id' in snort_intf.pid file name -s Log alert messages to syslog "-S" <"n"="v"> Set rules file variable n equal to value v "-T" Test and report on the current Snort configuration "-U" Use UTC for timestamps -v Be verbose "-V" Show version number "-X" Dump the raw packet data starting at the link layer -x Exit if Snort configuration problems occur -y Include year in timestamp in the alert and log files "-Z" Set the performonitor preprocessor file path and name -? Show this information are standard BPF options, as seen in TCPDump Longname options and their corresponding single char version --logid <0xid> Same as "-G" --perfmon-file Same as "-Z" --pid-path Specify the directory for the Snort PID file --snaplen Same as "-P" --help Same as -? --version Same as "-V" --alert-before-pass Process alert, drop, sdrop, or reject before pass, default is pass before alert, drop,... --treat-drop-as-alert Converts drop, sdrop, and reject rules into alert rules during startup --process-all-events Process all queued events (drop, alert,...), default stops after 1st action group --dynamic-engine-lib Load a dynamic detection engine --dynamic-engine-lib-dir Load all dynamic engines from directory --dynamic-detection-lib Load a dynamic rules library --dynamic-detection-lib-dir Load all dynamic rules libraries from directory --dump-dynamic-rules Creates stub rule files of all loaded rules libraries --dynamic-preprocessor-lib Load a dynamic preprocessor library --dynamic-preprocessor-lib-dir Load all dynamic preprocessor libraries from directory --create-pidfile Create PID file, even when not in Daemon mode --nolock-pidfile Do not try to lock Snort PID file --disable-attribute-reload-thread Do not create a thread to reload the attribute table --pcap-single Same as -r. --pcap-file file that contains a list of pcaps to read - read mode is implied. --pcap-list "" a space separated list of pcaps to read - read mode is implied. --pcap-dir a directory to recurse to look for pcaps - read mode is implied. --pcap-filter filter to apply when getting pcaps from file or directory. --pcap-no-filter reset to use no filter when getting pcaps from file or directory. --pcap-loop this option will read the pcaps specified on command line continuously for times. A value of 0 will read until Snort is terminated. --pcap-reset if reading multiple pcaps, reset snort to post-configuration state before reading next pcap. --pcap-show print a line saying what pcap is currently being read. --exit-check Signal termination after callbacks from pcap_dispatch(), showing the time it takes from signaling until pcap_close() is called. --conf-error-out Same as -x --require-rule-sid Require that all snort rules have SID specified. 2.1) Running SnortŪ non-interactive(as a Daemon) ----------------------------------------------- For running SnortŪ you need to login with "SYSTEM" user or any privileged account having (IMPERSONATE,SYSNAM,SYSPRV,SETPRV,CMKRNL) privileges. i) Define system wide logical for LIBZ_SHR32, run $@sys$common:[libz]startup.com Note: You can run this as a part of your OpenVMS system startup procedure: sys$manager:SYSTARTUP_VMS.COM ii) Run the SYS$STARTUP:SNORT$LOGICALS.COM to define the SnortŪ logicals. $ @SYS$STARTUP:SNORT$LOGICALS.COM Note: You can run this as a part of your OpenVMS system startup procedure: sys$manager:SYSTARTUP_VMS.COM iii) Edit snort$common:[000000.etc]snort.conf for any snortŪ configuration changes if required. Refer to the SnortŪ user manual for information on customizing snort.conf iv) To customize your SnortŪ runtime options, please refer to the section "Customizing run time options of snortŪ" v) Startup the SnortŪ process by the below Command: $ @snort$common:[com]SNORT$STARTUP.COM This creates a detached SnortŪ process named SNORT_1. Logs of the SnortŪ process is written into SNORT$SPECIFIC:[VAR.LOG.SNORT]snort_run.log Note: 1) SnortŪ will create a non interactive user "SNORT$USER" with UIC [371,371] first time it is run. If an user with UIC [371,371] already exists, SNORT$USER is created with the next available member number. The SNORT_1 process will run under this user account. 2) You may want to review the security settings for this user account and adjust them for your needs 3) The un-installation of SNORTŪ will remove this user account. 2.2) Running SnortŪ interactive ------------------------------ You can also run snortŪ directly on DCL prompt. However care should be taken to ensure that the correct directory paths are used on the command line as well as in /etc/snort.conf. Incase of any errors in defining the correct directory path, you may encounter the following error messages: ERROR: Unable to open rules file "../etc/../rules/local.rules": no such file or directory. Fatal Error, Quitting.. For running SnortŪ you need to login with "SYSTEM" user or any privileged account having (IMPERSONATE,SYSNAM,SYSPRV,SETPRV,CMKRNL) privileges. Define system wide logical for LIBZ_SHR32, run $@sys$common:[libz]startup.com Follow the instructions provided below to run SnortŪ on DCL: i) $@SYS$COMMON:[SYS$STARTUP]SNORT$LOGICALS.COM ii) $@SNORT$COMMON:[COM]SNORT$CMDLINE.COM iii) $set def SNORT$COMMON:[BIN] iv) Define symbol for snort.exe as: $snort :== "$SNORT$COMMON:[BIN]snort.exe" v) Run snort Ex: a) $snort -"V" -- To display the version number b) $snort -c /snort$common/etc/snort.conf -- To use snort.conf configuration Note: Refer to the section "Use of Double quotes for uppercase arguments" for passing upper case arguments. Alternately, if you have GNV installed on your system, you can run SnortŪ on GNV bash: Execute the following to run SnortŪ on bash: $@SYS$STARTUP:GNV$STARTUP.COM $@GNU:[LIB]GNV_SETUP.COM $@SYS$COMMON:[SYS$STARTUP]SNORT$LOGICALS.COM $@SNORT$COMMON:[COM]SNORT$CMDLINE.COM $set def SNORT$COMMON:[BIN] $bash bash$ export GNV_DISABLE_DCL_FALLBACK=1 bash$ snort Ex: a) bash$ snort -V -- To display the version number b) bash$ snort -c /snort$common/etc/snort.conf -- To use snort.conf configuration Running SnortŪ on bash is similar to running on any other Operating Systems say Linux. Note: i) Some of the SnortŪ runtime arguments are not supported on HP OpenVMS. Please refer to the section "Running SNORTŪ V2.8-531A for HP OpenVMS" for the list of supported runtime options. ii) SnortŪ retains case on gnv bash. There is no need of using double quotes for uppercase arguments. iii) SnortŪ requires a Unix style Posix root directory to be defined. On OpenVMS root is identified by the logical SYS$POSIX_ROOT. On running the GNV startup procedure SYS$STARTUP:GNV$STARTUP.COM a system wide SYS$POSIX_ROOT logical is usually created as: "SYS$POSIX_ROOT" = sys$sysdevice:[PSX$ROOT.] The SNORT$CMDLINE.COM procedure above defines a process wide logical SYS$POSIX_ROOT pointing to the SnortŪ directories. Please logout of the terminal session (in which you invoke bash) in order to clear this logical. 2.3) Stopping SnortŪ non-Interactive ----------------------------------- i) Only one instance of SnortŪ running on the system $ @snort$common:[com]SNORT$SHUTDOWN.COM Stopping SNORT process SNORT_1 ii) Particular SnortŪ process When running multiple instances of SnortŪ, multiple SnortŪ processes are created with process name SNORT_1, SNORT_2, SNORT_3 etc. To stop a particular instance of SnortŪ provide its process name as argument to the shutdown procedure as follows $@snort$common:[com]SNORT$SHUTDOWN.COM SNORT_3 Stopping SNORTŪ process SNORT_3 If a process named "SNORT_3" process is not running, then the following message is displayed: SNORT_3 is not running 2.4) Stopping SnortŪ interactive ------------------------------- To stop SnortŪ running interactively on your screen, press Ctrl+C. 2.5) Installing and loading registered rules: --------------------------------------------- SNORTŪ rulesets are downloadable from www.snort.org , some rulesets require a subscription to download. To load the rulesets follow the steps: i) Backup your snortŪ configuration file (snort.conf) before downloading the new rules. $copy SNORT$COMMON:[ETC]SNORT.CONF SNORT$COMMON:[ETC]SNORT.CONF_BCKUP ii) $set def snort$common:[000000] iii) Download the rule .tar.gz on your local system iv) Untar the rules using gunzip and tar into snort$common:[000000]. v) Upon untar’ing, the rules are copied into: SNORT$COMMON:[ETC] , SNORT$COMMON:[RULES], SNORT$COMMON:[SO_RULES], SNORT$COMMON:[DOC] etc. vi) Check for the "include $RULE_PATH/..." statements in the new SNORT$COMMON:[ETC]snort.conf. In case there are any additional rules to be included add them into the SNORT$COMMON:[ETC]SNORT.CONF_BCKUP vii) Copy the SNORT.CONF_BCKUP to SNORT.CONF $copy SNORT$COMMON:[ETC]SNORT.CONF_BCKUP; SNORT$COMMON:[ETC]SNORT.CONF; viii) Refer to the section "Building and loading SO rules" to build dynamic rules. ix) Test your configuration using "-T" runtime option $snort "-T" -c /etc/snort.conf For information on how to modify SnortŪ runtime options refer to the section "Customizing run time options of snortŪ" Note: SnortŪ process needs to be restarted for the new rules to be loaded. 2.5.1) Building and loading SO rules: ------------------------------------- Some SNORTŪ rules are provided are in binary format (files with a ".so" extension) These binary files can be dynamically loaded on a Unix based system by SnortŪ. On OpenVMS, if you need these rules as well, you need to generate the shareable images(*_SHR.EXE) by compiling the sources provided for these shareable images. Prerequisites to build SO_RULES( Dynamic rules ) - HP I64VMS PERL V5.8-6 or later - HP I64VMS GNV V2.1-3 - HP I64VMS C V7.3-18 or later You can build dynamic rule libraries from the sources present in [.S0_RULES.SRC] by following these steps: i) To build SO_RULES sources we require header files present in the SnortŪ sources. Refer to the section "How to get SnortŪ sources" to copy the source files. ii) Define the SNORT_ROOT logical by executing the following command procedure present in the snortŪ sources disk:[.snort_builds.SNORT-V0208-531.com]snort$build_setup.com where “disk” is the device name where the snortŪ sources are extracted. iii) Setup the PERL environment a) define the PERL logicals to point the perl directory Ex: $define perl_root SYS$SYSDEVICE:[VMS$COMMON.PERL5_8_6.] $define PERLSHR SYS$SYSDEVICE:[SYS0.SYSCOMMON.PERL5_8_6]PERLSHR.EXE b) Copy the perl.exe to GNU:[BIN] Ex: $Copy SYS$SYSDEVICE:[SYS0.SYSCOMMON.PERL5_8_6]PERL.EXE;1 gnu:[bin]/lo iv) Untar the ruleset referring to the section "Installing and loading registered rules" The sources for dynamic rules are located at snort$common:[so_rules.src]. Set the default directory as below, $set def snort$common:[so_rules.src] v) For make utility to run successfully following dummy files need to be created in SNORT$COMMON:[so_rules.src]. $create multimedia_dummy.c #include static void dummy_rule_to_compile() { } press ctrl+z to save the file $copy multimedia_dummy.c sql_dummy.c $copy multimedia_dummy.c web-activex_dummy.c $copy multimedia_dummy.c web-iis_dummy.c $copy multimedia_dummy.c icmp_dummy.c vi) Edit SNORT$COMMON:[so_rules.src]_meta.h to include sf_engine_apis.c Add the below code at the start of the file, #ifndef SF_ENGINE_APIS_VMS_ #define SF_ENGINE_APIS_VMS_ #include "sf_engine_apis.c" #endif /* SF_ENGINE_APIS_VMS_ */ vii) Copy the VMS specific files required to build dynamic rules into SNORT$COMMON:[SO_RULES.SRC] $copy SNORT$COMMON:[SO_RULES]sf_engine_apis.c; SNORT$COMMON:[SO_RULES.SRC]sf_engine_apis.c; $copy SNORT$COMMON:[SO_RULES]prebld_sorule.com; SNORT$COMMON:[SO_RULES.SRC]prebld_sorule.com; $copy SNORT$COMMON:[SO_RULES]makefile.; SNORT$COMMON:[SO_RULES.SRC]makefile.; viii) Modify [.so_rules.src]netbios_writex.c to comment including the header stdint.h. Following is the difference. OPNBAR$ diff netbios_writex.c;2 ************ File SNORT$COMMON:[000000.so_rules.src]netbios_writex.c;2 32 /* #include */ 33 #include ****** File SNORT$COMMON:[000000.so_rules.src]netbios_writex.c;1 32 #include 33 #include ************ Number of difference sections found: 1 Number of difference records found: 1 DIFFERENCES /MERGED=1- SNORT$COMMON:[000000.so_rules.src]netbios_writex.c;2- SNORT$COMMON:[000000.so_rules.src]netbios_writex.c;1 ix) Run the pre build command procedure. $@SNORT$COMMON:[SO_RULES.SRC]prebld_sorule.com This procedure compiles all the *_*.c source files. x) Setup th GNV $@SYS$STARTUP:GNV$STARTUP.COM $@GNU:[LIB]GNV_SETUP.COM xi) Redefine the SYS$POSIX_ROOT logical $@SNORT$COMMON:[COM]SNORT$CMDLINE.COM xii) Run make to build *_shr.exe dynamic rule libraries and also create the .RULES $set def SNORT$COMMON:[SO_RULES.SRC] $bash bash$ export GNV_DISABLE_DCL_FALLBACK=1 bash$ make bash$ xiii) Copy the dynamic rules into snort$common:[lib.snort_dynamicrules] $copy snort$common:[000000.so_rules.src]*shr.exe; snort$common:[LIB.snort_dynamicrules]/lo Note: 1) These rules WILL NOT WORK if the options "--enable-ipv6" has been used in the configure arguments for your SnortŪ installation. Refer to the Readme provided in the ruleset for more information. This would have got extracted to SNORT$COMMON:[SO_RULES.SRC]README.; when the rules set tar file is extracted. By Default SNORT.EXE shipped is built with "--enable-ipv6". You need to rebuild SnortŪ without "--enable-ipv6" configure argument for these SO_RULES to work. Refer to the section "Building SnortŪ V2.8-531A on HP OpenVMS" to build SnortŪ. 2) Changes may be required for building subsequent versions of rulesets. 2.6) Viewing SNORTŪ alert or log files ------------------------------------- Log/alert files are created by default at SNORT$SPECIFIC:[000000.VAR.LOG.SNORT] Naming conventions of the files are as follows, Alert file --> alert.;1 Log file --> SNORT.LOG.XXXXXXXXXX;1 where XXXXXXXXXX is the Unix-style time stamp. Note: To access the file SNORT.LOG.XXXXXXXXXX set the following process attribute $ set process/parser=extended You can override the default logging directory by using the -l runtime option. 2.7) Logging alerts and messages into Syslog: --------------------------------------------- This port of SNORTŪ for OpenVMS includes a wrapper over SYSLOG to allow logging of all SNORTŪ messages into a local file. Other features of Syslog are not supported. SNORTŪ logs alerts and messages of all severities (error, informational, fatal and critical) to a single file: snort$specific:[var.log.snort]syslog.log Remote logging and other syslog features are not supported. 2.8) Customizing run time options of snortŪ: ------------------------------------------- Default option after installation is to run SnortŪ as a Sniffer mode. To run SnortŪ in different mode do the following: Edit SNORT$COMMON:[COM]RUN_SNORT.COM to add/modify the SnortŪ runtime arguments Ex: a) If you wish to read from a tcpdump log file, say snort.log.1234567, use $snort -dv -r /snort$specific/var/log/snort/snort.log.1234567 b) If you wish to test you configuration modify use: $snort "-T" -c /etc/snort.conf Refer to SNORT$COMMON:[COM]RUN_SNORT.COM for more examples. Refer to “Use of Double quotes for uppercase arguments” for passing upper case arguments. For information on configuring snort.conf refer to the SnortŪ user manual. Note: Ensure that only ONE SnortŪ command is active and the rest are commented out. 2.9) Use of Double quotes for uppercase arguments -------------------------------------------------- To retain the case of arguments passed to SnortŪ we need to use double quotes as shown in the following example. Ex : snort "-V" or snort -"V" For a complete list of arguments to be used with double quotes refer to the SnortŪ online help (snort --help) 2.10) Configure MySQL database logging: --------------------------------------- i) Install JFP I64VMS MySQL MySQL for OpenVMS can be downloaded from http://www.vmsmysql.org/ ZLIB is available at http://www.pi-net.dyndns.org/anonymous/kits/ia64/ Note: If your version of MySQL is not built with the latest SSL release V1.4-335, you would be unable to start MySQL. In that case you may use an older version of MySQL V4.1-14. MySQL V4.1-14 is built using static SSL libraries. ii) Follow the instructions provided in MySQL readme to configure and run MySQL on your system. iii) Create the SNORTŪ database: $ mysql mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 20 to server version: 4.1.14-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> CREATE DATABASE snort; Query OK, 1 row affected (0.17 sec) iv) Add localhost and remote entries for SNORTUSR in the USER table. The following MySQL statements grant necessary privileges to SNORTUSR, $mysql> grant create, insert, select, delete, update on snort.* to snortusr@localhost; $mysql> grant create, insert, select, delete, update on snort.* to snortusr@’%’; v) Confirm that the snortusr entries have been inserted into the table: mysql> select user , host from user where User='snortusr'; +----------+-----------+ | user | host | +----------+-----------+ | snortusr | % | | snortusr | localhost | +----------+-----------+ 2 rows in set (0.00 sec) vi) Update the password for SNORTUSR mysql> update user set Password=PASSWORD('mypassword') where User='snortusr'; mysql> flush privileges; vii) select the SNORTŪ database mysql> use snort Database changed viii) Execute the MySQL script snort$common:[schemas]CREATE_MYSQL.; to create all the SnortŪ tables. mysql> source snort$common:[schemas]CREATE_MYSQL mysql> exit ix) Verify that your password and/or host changes took effect by logging into the database using the following command $mysql -"D" snort -u snortusr -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 21 to server version: 4.1.14-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> Configure one of the following options in SNORT.CONF to activate logging into MySQL. a) For logging to a Local host, use output database: log, mysql, user=snortusr password= dbname=snort host=localhost b) For logging to a Remote host, use output database: log, mysql, user=snortusr password= dbname=snort host= You may want to limit the access to snort.conf to only specific users. Ensure that “SNORT$USER” account has RE access to snort.conf. 2.11) Running multiple instance of SnortŪ: ----------------------------------------- i) Run the startup procedure $ @SNORT$COMMON:[COM]SNORT$STARTUP.COM creates the 1st snortŪ process SNORT_1 ii) Edit SNORT$COMMON:[COM]RUN_SNORT.COM to add/modify the SnortŪ runtime arguments with which you wish to run another instance of SnortŪ Ex: a) If you wish to read from a tcpdump log file, say snort.log.1234567, use $snort -dv -r /snort$specific/var/log/snort/snort.log.1234567 b) If you wish to sniff another interface modify $snort -v -i At this point of time due to the limitation in OpenVMS port of libpcap, changing interface DOESNOT work. By default SnortŪ would listen on all the configured interfaces of the system. Please refer to the section "Limitations/Features not supported" for more details. For more examples on SnortŪ runtime arguments refer to the section "Customizing run time options of snortŪ" Note: Ensure that only one SnortŪ command is active and the rest are commented out. iii) Run the startup procedure again $ @SNORT$COMMON:[COM]SNORT$STARTUP.COM creates a 2nd snort process SNORT_2 Repeat Steps ii) and iii) for running more instances of SnortŪ. Refer to the section "Stopping SnortŪ non-interactive" on how to stop a particular SnortŪ process. 2.12) Loading dynamic libraries: -------------------------------- Dynamic libraries are installed in SNORT$COMMON:[LIB] and named as *_shr.exe To load a dynamic library use the following in the SNORT.CONF file dynamicengine /lib/snort_dynamicengine/libsf_engine_shr.exe dynamicpreprocessor file Ex: dynamicpreprocessor file /lib/snort_dynamicpreprocessor/libsf_dce2_preproc_shr.exe You can also load all the libraries in a directory using the following: dynamicdetection directory Ex: dynamicdetection directory /so_rules/src Alternately the following runtime options can be used to load dynamic libraries --dynamic-engine-lib --dynamic-engine-lib-dir --dynamic-detection-lib --dynamic-detection-lib-dir --dynamic-preprocessor-lib --dynamic-preprocessor-lib-dir 2.13) Rules vs Memory --------------------- The memory used by the SnortŪ process is directly correlated to the number of rules loaded. We have performed tests with different number of rules and the results are as follows, a) With 242 rules loaded, total memory used by SnortŪ process is 8448 pages b) With 2912 rules loaded, total memory used by SnortŪ process is 15017 pages c) With 5744 rules loaded, total memory used by SnortŪ process is 37697 pages To allow scalability for newer rules provided by www.snort.org in the future, the PAGE_FILE for the SnortŪ process is set to a sufficient high value of 1500000 by default. However you can the allocate higher memory to your SnortŪ process by modifying the /PAGE_FILE field in the following command in SNORT$COMMON:[000000.COM]SNORT$STARTUP.COM $ run/ detach sys$system:loginout.exe/uic=[snort$user] /process_name="''procname'" - /output=snort$specific:[000000.var.log.snort]snort_run.log - /err=snort$specific:[000000.var.log.snort]snort_run_err.log - /PAGE_FILE=1500000 - /input=snort$common:[com]run_snort.com 2.14) Limitations/Features not supported: ----------------------------------------- i) Listening on a particular interface -i Due to a limitation in the OpenVMS port of libpcap, providing a specific interface to listen on DOES NOT work. Hence -i option to listen on a particular interface is not supported. By default SnortŪ listens on all the configured interfaces on the system. ii) Daemon "-D" "-D" option of running SnortŪ as a daemon is not supported. However refer to the section "Running SnortŪ non-interactive(as a Daemon)" to know more about running SnortŪ in Daemon mode iii) Inline SnortŪ Inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on SnortŪ rules. As there is no support for iptables on OpenVMS, inline mode is disabled on OpenVMS SNORTŪ. Following related options are ignored -Q --disable-inline-initialization React and flexresponse features are also not supported for the same reason. iv) MPLS Multicast protocol layer support is disabled as OpenVMS TCPIP does not support MPLS. Options ignored are: --enable-mpls-multicast --enable-mpls-overlapping-ip --max-mpls-labelchain-len v) UIC/GID of the snortŪ process(-g, -u) SnortŪ by default runs under the user SNORT$USER. You can however run SnortŪ with a different user by modifying SNORT$COMMON:[COM]SNORT$STARTUP.COM To run snortŪ with a different user modify /uic=[snort$user] in the following command in the startup procedure SNORT$COMMON:[COM]SNORT$STARTUP.COM $ run/ detach sys$system:loginout.exe/uic=[snort$user] /process_name="''procname'" - /output=snort$specific:[000000.var.log.snort]snort_run.log - /err=snort$specific:[000000.var.log.snort]snort_run_err.log - /PAGE_FILE=1500000 - /input=snort$common:[com]run_snort.com vi) ODBC, Postgresql, Pgsql, Oracle database logging SnortŪ V2.8-531A is built with only enable-MySQL and provides logging into MySQL database. SnortŪ is not built to enable ODBC, Postgresql, Pgsql or Oracle logging. vii) Aruba Output plug-ins SnortŪ V2.8-531A is not built to support Aruba output plug-in. viii) Prelude Prelude is not ported on OpenVMS. Prelude logging is not enabled on SnortŪ V2.8-531A. The following runtime options of SnortŪ are unsupported and not recommended to be used. -L --> logging into different tcpdump file is not supported on OpenVMS. By default log files are named as SNORT.LOG.XXXXXXXXXX;1 -m --> By default OpenVMS creates log files with following protection System:RWED, Owner:RWED, Group:RE, World: -t --> By default the root is defined by the process-wide logical SYS$POSIX_ROOT. $ sh log SYS$POSIX_ROOT (LNM$PROCESS_TABLE) "SYS$POSIX_ROOT" = "Disk:[SYS0.SNORT.]" = "Disk:[SYS0.SYSCOMMON.SNORT.]" Where "Disk" is the diskname 2.15) Trouble shooting snortŪ ---------------------------- 1) When I run SnortŪ I get the following error i) LIBZ_SHR32 error %DCL-W-ACTIMAGE, error activating image LIBZ_SHR32 -CLI-E-IMAGEFNF, image file not found OPNBAR$DKA0:[SYS0.SYSCOMMON.][SYSLIB]LIBZ_SHR32.EXE; Cause : Logical for LIBZ_SHR32 shareable is not defined Solution : Run the following to define system wide logical for LIBZ_SHR32 Define system wide logical for LIBZ_SHR32, run $@sys$common:[libz]startup.com ii) PCRE_SHR error %DCL-W-ACTIMAGE, error activating image PCRE_SHR -CLI-E-IMAGEFNF, image file not found OPNBAR$DKA0:[SYS0.SYSCOMMON.][SYSLIB]PCRE_SHR.EXE; Cause : Logical for PCRE_SHR.EXE is not defined Solution : Ensure that the logical PCRE_SHR pointing to the shareable is set. Ex : $define pcre_shr SNORT$COMMON:[LIB]PCRE_SHR.EXE 2) SnortŪ exits with the following error *** *** interface device lookup found: IE0 *** Initializing Network Interface IE0 %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation Cause : To open the connection for the network interface we need CMKRNL priv. The current user logged in does not have sufficient privileges. Solution : Login using "SYSTEM" user or any privileged account having (IMPERSONATE,SYSNAM,SYSPRV,SETPRV,CMKRNL) privileges and run SNORTŪ. 3) SnortŪ exits with the following error ERROR: Stat check on log dir failed: no such file or directory. Fatal Error, Quitting.. Solution : Make sure the log dir specified in the command line followed by -l exists. Ex : snort -v -l ./log Look for [.log] in the current dir. 4) SnortŪ exits with the following error ERROR: log_tcpdump: Failed to open log file "[.log]/snort.log.1271149180": no such file or directory Fatal Error, Quitting.. Cause of error : Running snortŪ using VMS style dir paths Ex : snort -v -l [.log] Solution : Always use Unix style Dir paths as arguments while running SnortŪ. 5) SnortŪ exits with the following error while loading dynamic libraries Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... ERROR: Failed to find LibVersion() function in /usr/local/lib/snort_dynamicengine/libsf_engine.so: %LIB-E-KEYNOTFOU, key not found in tree Fatal Error, Quitting.. Cause of error : The dynamic library is built with warnings/errors Solution : Rebuilt the dynamic library resolving all warnings/errors 6) SnortŪ exits with the following error while loading rules i) ERROR: (../rules/web-misc.rules)97 => Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent". Fatal Error, Quitting.. ii) ERROR: ../rules/web-misc.rules Line 452 => unable to parse pcre regex "fn=Eye\d{4}_\d{2}.log/Rmsi" Fatal Error, Quitting.. Solution : Comment out the above 2 rules in Snort$specific:[rules]web-misc.rules and run SnortŪ again. --------------------------------------------------------- 3.0) Building SnortŪ V2.8-531A on HP OpenVMS --------------------------------------------------------- 3.1) How to get SnortŪ sources: ------------------------------ Download the source kit from the following location: http://h71000.www7.hp.com/openvms/products/snort/index.html i) Expand the self-extracting kit to create the .BCK $ RUN SNORT-V0208-531A_SRC.ZIPEXE ii) Extract the .bck $BACKUP SNORT-V0208-531A.BCK/SAV disk:[*...] Where disk is the disk device where you want to unpack the sources. This process creates a directory called [SNORT_BUILDS] and then unpacks the build tree into that directory. The final directory structure is similar to the following: disk:[SNORT_BUILDS.SNORT-V0208-531...] 3.2) Prerequisites to build SnortŪ V2.8-531A on HP OpenVMS ------------------------------------------------------- Operating System/Architecture: - HP IA64VMS OPENVMS V8.3-1H1 onwards Disk: - ODS-5 disk Build tools: - HP I64VMS GNV V2.1-3 - HP I64VMS C V7.3-18 or later - HP I64VMS CXX S7.3-35 Other Products: - HP I64VMS SSL V1.4-335 or later (If MySQL logging is required) - HP I64VMS TCPIP V5.6-9ECO5 or later - JFP I64VMS MYSQL V4.1-14 or later version of MYSQL051 built with SSL V1.4-335 (If MySQL logging is required) - JFP I64VMS ZLIB V1.2-3 or later (If MySQL logging is required) - GNU Flex v2.5.4 - GNU Bison v1.35 - HP I64VMS PERL V5.8-6 or later - required only to build dynamic rules (so_rules) For improved performance install the latest TCPIP, Update and CRTL kits. 3.3) Setting up the SnortŪ on OpenVMS build environment ------------------------------------------------------ Execute the following to setup the build environment i) Download Flex v2.5.4 and Bison v1.35 from OpenVMS freeware. ii) Copy flex.exe to [.VMS_SPECIFIC] $copy flex.exe diskname:[snort_builds.SNORT-V0208-531.vms_specific]flex.exe where diskname is the device name iii) Copy bison.; and bison.simple to [.VMS_SPECIFIC] $copy bison.;, bison.simple diskname:[snort_builds.SNORT-V0208-531.vms_specific] where diskname is the device name iv) Run the following command procedure to setup the SnortŪ build environment. @diskname:[snort_builds.SNORT-V0208-531.com]snort$build_setup.com where diskname is the device name v) Setup the GNV by running the following $@SYS$STARtUP:GNV$STARTUP.COM $@GNU:[LIB]GNV_SETUP.COM vi) To build SnortŪ using "--with-mysql" configure option, define the MYSQL051_ROOT logical. Run [.vms]logicals.com in the MySQL installation directory to define it. Ex: $@sys$sysdevice:[SYS0.SYSCOMMON.MYSQL051.vms]logicals.com "/SYSTEM/EXEC" 3.4) Start building SnortŪ V2.8-531A on OpenVMS -------------------------------------------- i) $set def snort_root:[000000] ii) Run bash $bash iii) Disable DCL fallback by entering the following bash$ export GNV_DISABLE_DCL_FALLBACK=1 iv) Run configure with options of your choice as shown below, bash$ ./configure CPPFLAGS=-I/SNORT_ROOT/VMS_SPECIFIC Ex: bash$ ./configure CPPFLAGS=-I/SNORT_ROOT/VMS_SPECIFIC \ --enable-dependency-tracking --enable-shared --enable-static \ --enable-fast-install --disable-libtool-lock --enable-dynamicplugin \ --enable-ipv6 --enable-targetbased --enable-decoder-preprocessor-rules \ --enable-ppm --enable-timestats --enable-perfprofiling --enable-pthread \ --enable-ppm-test --enable-reload --enable-reload-error-restart \ --with-mysql --with-mysql-includes=/MYSQL051_ROOT/000000/include \ --with-mysql-libraries=/MYSQL051_ROOT/000000/vms bash$./configure --help lists all the configure options Note : Please refer to the section "Unsupported SnortŪ options on HP OpenVMS" for the list of options not supported on OpenVMS Configure creates the makefiles on successful completion. v) Run make to start building snortŪ bash$ cd /snort_root/000000/src bash$ make Note: Gnv make on OpenVMS is known to have problem in running recursively beyond the order of 5 inner loops. As a result you may encounter errors at some directories while building SnortŪ. Following are the workarounds that could be used. 1) make exits with the following error while making /snort_root/src/dynamic-plugins/sf_engine make all-recursive make[5]: Entering directory `/snort_root/src/dynamic-plugins/sf_engine' /tmp/make003200: /gnu/bin/sed: normal successful completion (null) Making in examples /tmp/make003200: /gnu/bin/make: normal successful completion (null) make[5]: *** [all-recursive] Error 1 make[5]: Leaving directory `/snort_root/src/dynamic-plugins/sf_engine' make[4]: *** [all] Error 2 make[4]: Leaving directory `/snort_root/src/dynamic-plugins/sf_engine' make[3]: *** [all-recursive] Error 1 Workaround to be used: bash$ cd /snort_root/src/dynamic-plugins bash$ make bash$ cd /snort_root/src bash$ make 2) make exits with the following error while making /snort_root/src/dynamic-preprocessors/ftptelnet make[4]: Entering directory `/snort_root/src/dynamic-preprocessors/ftptelnet' make[5]: Entering directory `/snort_root/src/dynamic-preprocessors/ftptelnet' sh ../../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I../../.. -I../include -I./includes -ISNORT_ROOT/VMS_SPECI FIC -DDYNAMIC_PLUGIN -DSUP_IP6 -DTARGET_BASED -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DPPM_MGR -DTIMESTATS -DPERF_PROFILING -DDEBUG -DPROFILE -DPPM_TEST -DSNORT_RELOAD -I/MYSQL051_ROOT/000000/include -DENABLE_MYSQL -g -names_as_is_short -auto_symvec -O0 -c -o ftp_bo unce_lookup.lo ftp_bounce_lookup.c ../../../libtool: /gnu/bin/sed: normal successful completion (null) ../../../libtool: /gnu/bin/tr: normal successful completion (null) .. .. ../../../libtool: /gnu/bin/sed: normal successful completion (null) : compile: cannot determine name of library object from `' make[5]: *** [ftp_bounce_lookup.lo] Error 1 make[5]: Leaving directory `/snort_root/src/dynamic-preprocessors/ftptelnet' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/snort_root/src/dynamic-preprocessors/ftptelnet' make[3]: *** [all] Error 2 make[3]: Leaving directory `/snort_root/src/dynamic-preprocessors/ftptelnet' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/snort_root/src/dynamic-preprocessors' make[1]: *** [all] Error 2 make[1]: Leaving directory `/snort_root/src/dynamic-preprocessors' make: *** [all-recursive] Error 1 Workaround to be used: bash$ cd /snort_root/src/dynamic-preprocessors bash$ make bash$ cd /snort_root/src bash$ make Make would run successfully to create SnortŪ executable (snort.;) SnortŪ is known to build with the following warnings which do not have any impact on running the application. These warnings may be ignored ? cc: Warning: library "socket" not found ? cc: Warning: library "nsl" not found ? cc: Warning: library "m" not found ? cc: Warning: library "dl" not found %ILINK-W-COMPWARN, compilation warnings module: snort file: SNORT_ROOT:[src]snort.o;1 %ILINK-W-COMPWARN, compilation warnings module: snprintf file: SNORT_ROOT:[src]snprintf.o;1 %ILINK-W-COMPWARN, compilation warnings module: snort_httpinspect file: SNORT_ROOT:[src.preprocessors]libspp.olb;1 %ILINK-W-COMPWARN, compilation warnings module: sftarget_reader file: SNORT_ROOT:[src.target-based]libtarget_based.olb;1 3.5) Building Syslog for SnortŪ: ------------------------------- Syslog facility is not available on OpenVMS. This port of SNORTŪ for OpenVMS includes a wrapper over SYSLOG to allow logging of all SNORTŪ messages into a local file. Other features of Syslog are not supported. Source kit for SnortŪ on OpenVMS provides the syslog.olb library. The library will be directly linked with the snortŪ executable. The sources for the Syslog on OpenVMS are not rebuilt while building SnortŪ. To build Syslog yourself, execute the following commands on GNV. bash$ cd /snort_root/vms_specific bash$ gcc -g -source_listing -names_as_is_short -auto_symvec -O0 -c syslog.c -ISNORT_ROOT/VMS_SPECIFIC bash$ ar cru syslog.olb syslog.o 3.6) Warnings to be ignored during build ---------------------------------------- 1) While running configure.; you would come across the following errors on libpcre and libpcap. These errors could be ignored. For OpenVMS we set the libpcre and libpcap libraries at a later point of execution. checking for pcre_compile in -lpcre... no ERROR! Libpcre library not found. Get it from http://www.pcre.org no ERROR! Libpcre library version >= 6.0 not found. Get it from http://www.pcre.org . . . checking for pcre_compile in -lpcre... no ERROR! Libpcre library not found. Get it from http://www.pcre.org no ERROR! Libpcre library version >= 6.0 not found. Get it from http://www.pcre.org 2) Following warnings are displayed while building .la libraries which may be ignored. *** Warning: Linking the shared library libsf_smtp_preproc.la against the *** static library /SNORT_ROOT/vms_specific/pcrelib.olb is not portable! *** Warning: Linking the shared library libsf_smtp_preproc.la against the *** static library /SNORT_ROOT/vms_specific/syslog.olb is not portable! *** Warning: Linking the shared library libsf_smtp_preproc.la against the *** static library /MYSQL051_ROOT/vms/lib/mysqlclient_upper.olb is not portable! 3.7) Unsupported SnortŪ options on HP OpenVMS: --------------------------------------------- i) MPLS and GRE Multicast protocol layer support and Generic routing Encapsulation protocols are not supported on OpenVMS TCPIP. SnortŪ will not build with the following options --enable-gre --enable-mpls ii) Inline SnortŪ Inline obtains packets from iptables instead of libpcap and then uses new rule types to help iptables pass or drop packets based on SnortŪ rules. As there is no support for iptables on VMS, the following options are not supported on OpenVMS SnortŪ V2.8-531A SnortŪ may not build with the following options --enable-inline --enable-ipfw --enable-flexresp --enable-flexresp2 --with-libipq-includes=DIR --with-libipq-libraries=DIR --enable-react iii) Aruba and Prelude We have not tested with Aruba and Prelude output plugins. The following are unsupported: --enable-aruba --enable-prelude --with-libprelude-prefix=PFX iv) External libraries The following libraries are not ported on OpenVMS. Use the following options to build SnortŪ may result in error. --with-libpfring-includes=DIR --with-libpfring-libraries=DIR --with-libnet-includes=DIR --with-libnet-libraries=DIR --with-dnet-includes=DIR --with-dnet-libraries=DIR v) Databases SNORTŪ on OpenVMS has not been configured to compile with the following databases: --with-odbc=DIR --with-postgresql=DIR --with-pgsql-includes=DIR --with-oracle=DIR vi) In addition the following options are not tested/supported --enable-64bit-gcc --enable-linux-smp-stats --disable-corefiles --with-tags[=TAGS] 3.8) Trouble shooting build --------------------------- For information of trouble shooting while running snortŪ refer to the section "Trouble shooting snortŪ". i) While running configure I get the following errors %DCL-W-ACTIMAGE, error activating image SYS$COMMON:[SYSEXE]DCL.EXE -CLI-E-IMGNAME, image file SUMMER$DKA0:[SYS0.SYSCOMMON.][SYSEXE]DCL.EXE -SYSTEM-F-ACCVIO, access violation, reason mask=2C, virtual address=000000007FFD1160, PC=000000000000001A, PS=7FF93EA5 Cause : GNV_DISABLE_DCL_FALLBACK env variable is not defined Solution : Define the variable as below on bash bash$export GNV_DISABLE_DCL_FALLBACK=1 ii) SnortŪ executable builds with errors showing undefined symbols in mysqlclient_upper.olb as shown below, %ILINK-E-NUDFSYMS, 2 undefined symbols: %ILINK-I-UDFSYM, MY_TIME %ILINK-I-UDFSYM, THD_LIB_DETECTED %ILINK-W-USEUNDEF, undefined symbol MY_TIME referenced section: $CODE$ offset: %X0000000000000270 slot: 2 module: CLIENT file: MYSQL051_ROOT:[vms.lib]mysqlclient_upper.olb;1 %ILINK-W-USEUNDEF, undefined symbol MY_TIME referenced section: $CODE$ offset: %X00000000000002F0 slot: 2 module: CLIENT file: MYSQL051_ROOT:[vms.lib]mysqlclient_upper.olb;1 %ILINK-W-USEUNDEF, undefined symbol THD_LIB_DETECTED referenced section: $CODE$ offset: %X0000000000000000 slot: 1 module: MY_THR_INIT file: MYSQL051_ROOT:[vms.lib]mysqlclient_upper.olb;1 make[1]: *** [snort] Error 2 make[1]: Leaving directory `/snort_root/src' make: *** [all-recursive] Error 1 Cause : The client libraries shipped with your version of MySQL for OpenVMS is known to result in undefined symbols for MY_TIME and THD_LIB_DETECTED at linktime. Solution : Download the client libraries present in the following link http://www.pi-net.dyndns.org/anonymous/kits/ia64/mysqlclient05122_upd1.zip Perform the following to save the libraries at MYSQL051_ROOT:[VMS.LIB] $copy mysqlclient05122_upd1.zip MYSQL051_ROOT:[VMS.LIB] $set def MYSQL051_ROOT:[VMS.LIB] $unzip mysqlclient05122_upd1.zip 3.9) Source listings and Map files ---------------------------------- Source Listings are generated by default. Mapping files have the following nomenclature *_symvec.MAP. Ex : libsf_engine_shr_symvec.MAP 3.10) How to test your SnortŪ build ---------------------------------- i) $@snort_root:[000000.com]snort$post_build.com ii) Run snortŪ Ex: $snort "-V" 3.11) How to create PCSI kit for SnortŪ on HP OpenVMS: ----------------------------------------------------- Once you have tested your latest build. Follow the steps mentioned below to generate a PCSI kit of SnortŪ. i) $set def SNORT_ROOT:[000000.kit] ii) Copy all the kit files into a directory. Run snort$copy_kitfiles.com to copy the files $@snort$copy_kitfiles.com iii) Run snort$build_kit.com to generate the PCSI kit. $@snort_root:[000000.kit]snort$build_kit.com This generates HP-I64VMS-SNORT-V0208-531A-1.PCSI and HP-I64VMS-SNORT-V0208-531A-1.PCSI$COMPRESSED kits. iv) Run the snort$del_kitfiles.com procedure to delete the kit files copied earlier. $@snort$del_kitfiles.com Note: The above command procedures provided were used to build the PCSI kit HP-I64VMS-SNORT-V0208-531A-1.PCSI$COMPRESSED. However you may modify commands to add/remove any files in HP-I64VMS-SNORT-V28531A.PCSI$DESC and snort$copy_kitfiles.com if needed. 3.12) Building SnortŪ in debug mode ---------------------------------- Run configure using --enable-debug along with other options. A debug image of snortŪ is built using the above option. Mapping, DSF and listing files are created. You can also enable SnortŪ debug traces by setting the logical SNORT_DEBUG. Ex : To print all debug traces, $define/sys SNORT_DEBUG 4294967295 Alternately on GNV bash$export SNORT_DEBUG=4294967295 Please refer to the header Decode.h for complete list of values SNORT_DEBUG can be set to display various levels of debugging traces. 3.13) How to run snortŪ in debug mode ------------------------------------ i) @snort_root:[000000.com]snort_post_build.com ii) Run snortŪ with the runtime arguments of your choice. Ex : $snort "-V" OpenVMS I64 Debug64 Version X8.3-015 %DEBUG-I-INITIAL, Language: C, Module: snort %DEBUG-I-NOTATMAIN, Type GO to reach MAIN program DBG>