Tengo Ubuntu 9.10 amd64 estoy intentado compilar en snort_inline de esta pagina: http://snort-inline.sourceforge.net/download.html hago lo siguiente:

descomprimo



tar -xvf snort_inline-2.6.1.5.tar.z

en la carpeta /usr/src

ejecuto sh autojunk.sh y todo bien

e incluso hago un autoreconf -f y todo bien

despues compilo de esta forma:

./configure --enable-clamav --enable-flexresp2

hasta hay bien. Pero Al hacer el siguiente make (el primero) siempre me tira este error. No soy esperto en linux pero si aficionado ==>

./src/detection-plugins -I../../../../src/dynamic-plugins -I../../../../src/preprocessors -I../../../../src/preprocessors/flow -I../../../../src/preprocessors/portscan -I../../../../src/preprocessors/flow/int-snort -I../../../../src/preprocessors/HttpInspect/include -I../../../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c hi_norm.c
rm -f libhi_norm.a
ar cru libhi_norm.a hi_norm.o
ranlib libhi_norm.a
make[5]: se sale del directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors/HttpInspect/normalization'
make[5]: se ingresa al directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors/HttpInspect'
rm -f libhttp_inspect.a
ar cru libhttp_inspect.a user_interface/hi_ui_config.o user_interface/hi_ui_server_lookup.o user_interface/hi_ui_iis_unicode_map.o session_inspection/hi_si.o mode_inspection/hi_mi.o anomaly_detection/hi_ad.o utils/hi_util_kmap.o utils/hi_util_xmalloc.o utils/hi_util_hbm.o event_output/hi_eo_log.o client/hi_client.o client/hi_client_norm.o server/hi_server.o normalization/hi_norm.o
ranlib libhttp_inspect.a
make[5]: se sale del directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors/HttpInspect'
make[4]: se sale del directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors/HttpInspect'
Making all in Stream5
make[4]: se ingresa al directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors/Stream5'
gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../.. -I../../../src -I../../../src/sfutil -I/usr/include/pcap -I../../../src/output-plugins -I../../../src/detection-plugins -I../../../src/dynamic-plugins -I../../../src/preprocessors -I../../../src/preprocessors/flow -I../../../src/preprocessors/portscan -I../../../src/preprocessors/flow/int-snort -I../../../src/preprocessors/HttpInspect/include -I../../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c snort_stream5_tcp.c
snort_stream5_tcp.c: In function ‘Stream5ParseTcpArgs’:
snort_stream5_tcp.c:585: warning: pointer targets in passing argument 1 of ‘strlen’ differ in signedness
/usr/include/string.h:397: note: expected ‘const char *’ but argument is of type ‘u_char *’
snort_stream5_tcp.c:587: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../.. -I../../../src -I../../../src/sfutil -I/usr/include/pcap -I../../../src/output-plugins -I../../../src/detection-plugins -I../../../src/dynamic-plugins -I../../../src/preprocessors -I../../../src/preprocessors/flow -I../../../src/preprocessors/portscan -I../../../src/preprocessors/flow/int-snort -I../../../src/preprocessors/HttpInspect/include -I../../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c snort_stream5_udp.c
snort_stream5_udp.c: In function ‘Stream5ParseUdpArgs’:
snort_stream5_udp.c:137: warning: pointer targets in passing argument 1 of ‘strlen’ differ in signedness
/usr/include/string.h:397: note: expected ‘const char *’ but argument is of type ‘u_char *’
snort_stream5_udp.c:139: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../.. -I../../../src -I../../../src/sfutil -I/usr/include/pcap -I../../../src/output-plugins -I../../../src/detection-plugins -I../../../src/dynamic-plugins -I../../../src/preprocessors -I../../../src/preprocessors/flow -I../../../src/preprocessors/portscan -I../../../src/preprocessors/flow/int-snort -I../../../src/preprocessors/HttpInspect/include -I../../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c snort_stream5_icmp.c
snort_stream5_icmp.c: In function ‘ProcessIcmpEcho’:
snort_stream5_icmp.c:201: warning: unused variable ‘ssn’
gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../.. -I../../../src -I../../../src/sfutil -I/usr/include/pcap -I../../../src/output-plugins -I../../../src/detection-plugins -I../../../src/dynamic-plugins -I../../../src/preprocessors -I../../../src/preprocessors/flow -I../../../src/preprocessors/portscan -I../../../src/preprocessors/flow/int-snort -I../../../src/preprocessors/HttpInspect/include -I../../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c snort_stream5_session.c
gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../.. -I../../../src -I../../../src/sfutil -I/usr/include/pcap -I../../../src/output-plugins -I../../../src/detection-plugins -I../../../src/dynamic-plugins -I../../../src/preprocessors -I../../../src/preprocessors/flow -I../../../src/preprocessors/portscan -I../../../src/preprocessors/flow/int-snort -I../../../src/preprocessors/HttpInspect/include -I../../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c stream5_common.c
rm -f libstream5.a
ar cru libstream5.a snort_stream5_tcp.o snort_stream5_udp.o snort_stream5_icmp.o snort_stream5_session.o stream5_common.o snort_stream5_tcp.o snort_stream5_udp.o snort_stream5_icmp.o snort_stream5_session.o stream5_common.o
ranlib libstream5.a
make[4]: se sale del directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors/Stream5'
make[4]: se ingresa al directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors'
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_arpspoof.c
spp_arpspoof.c: In function ‘ARPspoofInit’:
spp_arpspoof.c:167: warning: pointer targets in passing argument 1 of ‘ParseARPspoofArgs’ differ in signedness
spp_arpspoof.c:135: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_arpspoof.c: In function ‘ARPspoofHostInit’:
spp_arpspoof.c:227: warning: pointer targets in passing argument 1 of ‘ParseARPspoofHostArgs’ differ in signedness
spp_arpspoof.c:136: note: expected ‘char *’ but argument is of type ‘u_char *’
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_bo.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_rpc_decode.c
spp_rpc_decode.c: In function ‘RpcDecodeInit’:
spp_rpc_decode.c:153: warning: pointer targets in passing argument 1 of ‘SetRpcPorts’ differ in signedness
spp_rpc_decode.c:105: note: expected ‘char *’ but argument is of type ‘u_char *’
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_stream4.c
spp_stream4.c: In function ‘Stream4Init’:
spp_stream4.c:1079: warning: pointer targets in passing argument 1 of ‘ParseStream4Args’ differ in signedness
spp_stream4.c:435: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_stream4.c: In function ‘Stream4InitExternalOptions’:
spp_stream4.c:1886: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_stream4.c: In function ‘Stream4InitReassembler’:
spp_stream4.c:2147: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_stream4.c:2368: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_stream4.c: At top level:
../../src/bounds.h:126: warning: ‘SafeWrite’ defined but not used
../../src/sfutil/bitop_funcs.h:71: warning: ‘boInitStaticBITOP’ defined but not used
../../src/sfutil/bitop_funcs.h:181: warning: ‘boSetAllBits’ defined but not used
../../src/sfutil/bitop_funcs.h:203: warning: ‘boSetBit’ defined but not used
../../src/sfutil/bitop_funcs.h:237: warning: ‘boIsBitSet’ defined but not used
../../src/sfutil/bitop_funcs.h:270: warning: ‘boClearBit’ defined but not used
../../src/sfutil/bitop_funcs.h:303: warning: ‘boClearByte’ defined but not used
../../src/sfutil/bitop_funcs.h:335: warning: ‘boFreeBITOP’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:30: warning: ‘IsIPv4Packet’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:47: warning: ‘IsTcpPacket’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:64: warning: ‘GetTcpFlags’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:86: warning: ‘GetIPv4SrcPort’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:108: warning: ‘GetIPv4DstPort’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:129: warning: ‘GetIPv4Proto’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:151: warning: ‘GetIPv4SrcIp’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:174: warning: ‘GetIPv4DstIp’ defined but not used
../../src/preprocessors/flow/int-snort/flow_packet.h:192: warning: ‘GetIPv4Len’ defined but not used
../../src/preprocessors/flow/flow.h:88: warning: ‘flow_mark’ defined but not used
../../src/preprocessors/flow/flow.h:99: warning: ‘flow_checkflag’ defined but not used
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c snort_stream4_session.c
snort_stream4_session.c: In function ‘TruncSessionCache’:
snort_stream4_session.c:705: warning: unused variable ‘cnt’
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c snort_stream4_udp.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c stream_ignore.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_telnet_negotiation.c
spp_telnet_negotiation.c: In function ‘TelNegInit’:
spp_telnet_negotiation.c:133: warning: pointer targets in passing argument 1 of ‘SetTelnetPorts’ differ in signedness
spp_telnet_negotiation.c:85: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_telnet_negotiation.c: In function ‘NormalizeTelnet’:
spp_telnet_negotiation.c:187: warning: pointer targets in assignment differ in signedness
spp_telnet_negotiation.c:188: warning: pointer targets in assignment differ in signedness
spp_telnet_negotiation.c:218: warning: pointer targets in assignment differ in signedness
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_perfmonitor.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c perf.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c perf-base.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c perf-flow.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c perf-event.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c sfprocpidstats.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_httpinspect.c
spp_httpinspect.c: In function ‘HttpInspectInit’:
spp_httpinspect.c:271: warning: pointer targets in passing argument 2 of ‘HttpInspectSnortConf’ differ in signedness
snort_httpinspect.h:5: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_httpinspect.c:278: warning: the address of ‘ErrorString’ will always evaluate as ‘true’
spp_httpinspect.c:289: warning: the address of ‘ErrorString’ will always evaluate as ‘true’
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c snort_httpinspect.c
snort_httpinspect.c: In function ‘LogEvents’:
snort_httpinspect.c:2295: warning: cast from pointer to integer of different size
snort_httpinspect.c:2313: warning: cast to pointer from integer of different size
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_flow.c
spp_flow.c: In function ‘FlowInit’:
spp_flow.c:149: warning: pointer targets in passing argument 2 of ‘FlowParseArgs’ differ in signedness
spp_flow.c:68: note: expected ‘char *’ but argument is of type ‘u_char *’
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c portscan.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_sfportscan.c
spp_sfportscan.c: In function ‘MakeProtoInfo’:
spp_sfportscan.c:165: warning: pointer targets in assignment differ in signedness
spp_sfportscan.c:166: warning: pointer targets in assignment differ in signedness
spp_sfportscan.c:207: warning: pointer targets in passing argument 1 of ‘SnortStrnlen’ differ in signedness
../../src/util.h:115: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_sfportscan.c: In function ‘MakeOpenPortInfo’:
spp_sfportscan.c:358: warning: pointer targets in passing argument 1 of ‘SnortStrnlen’ differ in signedness
../../src/util.h:115: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_sfportscan.c: In function ‘ParseLogFile’:
spp_sfportscan.c:1113: warning: pointer targets in passing argument 1 of ‘SnortSnprintf’ differ in signedness
../../src/util.h:112: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_sfportscan.c:1115: warning: pointer targets in passing argument 1 of ‘SnortSnprintf’ differ in signedness
../../src/util.h:112: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_sfportscan.c:1124: warning: pointer targets in passing argument 1 of ‘fopen’ differ in signedness
/usr/include/stdio.h:249: note: expected ‘const char * __restrict__’ but argument is of type ‘u_char *’
spp_sfportscan.c: In function ‘PortscanInit’:
spp_sfportscan.c:1148: warning: pointer targets in passing argument 1 of ‘strtok’ differ in signedness
/usr/include/string.h:346: note: expected ‘char * __restrict__’ but argument is of type ‘u_char *’
spp_sfportscan.c:1155: warning: pointer targets in passing argument 1 of ‘FatalErrorNoOption’ differ in signedness
spp_sfportscan.c:806: note: expected ‘u_char *’ but argument is of type ‘char *’
spp_sfportscan.c:1163: warning: pointer targets in passing argument 1 of ‘FatalErrorNoOption’ differ in signedness
spp_sfportscan.c:806: note: expected ‘u_char *’ but argument is of type ‘char *’
spp_sfportscan.c:1171: warning: pointer targets in passing argument 1 of ‘FatalErrorNoOption’ differ in signedness
spp_sfportscan.c:806: note: expected ‘u_char *’ but argument is of type ‘char *’
spp_sfportscan.c:1179: warning: pointer targets in passing argument 1 of ‘FatalErrorNoOption’ differ in signedness
spp_sfportscan.c:806: note: expected ‘u_char *’ but argument is of type ‘char *’
spp_sfportscan.c:1187: warning: pointer targets in passing argument 1 of ‘FatalErrorNoOption’ differ in signedness
spp_sfportscan.c:806: note: expected ‘u_char *’ but argument is of type ‘char *’
spp_sfportscan.c:1195: warning: pointer targets in passing argument 1 of ‘FatalErrorNoOption’ differ in signedness
spp_sfportscan.c:806: note: expected ‘u_char *’ but argument is of type ‘char *’
spp_sfportscan.c:1207: warning: pointer targets in passing argument 1 of ‘FatalErrorNoOption’ differ in signedness
spp_sfportscan.c:806: note: expected ‘u_char *’ but argument is of type ‘char *’
spp_sfportscan.c:1215: warning: pointer targets in passing argument 1 of ‘FatalErrorNoOption’ differ in signedness
spp_sfportscan.c:806: note: expected ‘u_char *’ but argument is of type ‘char *’
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_frag2.c
spp_frag2.c: In function ‘ParseFrag2Args’:
spp_frag2.c:470: warning: pointer targets in passing argument 1 of ‘strlen’ differ in signedness
/usr/include/string.h:397: note: expected ‘const char *’ but argument is of type ‘u_char *’
spp_frag2.c:507: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_frag3.c
spp_frag3.c: In function ‘Frag3ParseGlobalArgs’:
spp_frag3.c:991: warning: pointer targets in passing argument 1 of ‘strlen’ differ in signedness
/usr/include/string.h:397: note: expected ‘const char *’ but argument is of type ‘u_char *’
spp_frag3.c:993: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_frag3.c: In function ‘Frag3ParseArgs’:
spp_frag3.c:1129: warning: pointer targets in passing argument 1 of ‘strlen’ differ in signedness
/usr/include/string.h:397: note: expected ‘const char *’ but argument is of type ‘u_char *’
spp_frag3.c:1136: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_frag3.c: In function ‘Frag3NewTracker’:
spp_frag3.c:1911: warning: pointer targets in assignment differ in signedness
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c str_search.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c stream_api.c
gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/flow -I../../src/preprocessors/portscan -I../../src/preprocessors/flow/int-snort -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I/usr/include/libipq -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -g -O2 -Wall -DDYNAMIC_PLUGIN -DGIDS -DCLAMAV -fno-strict-aliasing -c spp_clamav.c
spp_clamav.c: In function ‘ProcessPorts’:
spp_clamav.c:191: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_clamav.c: In function ‘ParseClamAVArgs’:
spp_clamav.c:306: warning: pointer targets in initialization differ in signedness
spp_clamav.c:356: warning: pointer targets in passing argument 1 of ‘mSplit’ differ in signedness
../../src/mstring.h:34: note: expected ‘char *’ but argument is of type ‘u_char *’
spp_clamav.c:365: warning: pointer targets in passing argument 1 of ‘ProcessPorts’ differ in signedness
spp_clamav.c:179: note: expected ‘u_char *’ but argument is of type ‘char *’
spp_clamav.c: In function ‘ClamAVInit’:
spp_clamav.c:520: warning: implicit declaration of function ‘cl_loaddbdir’
spp_clamav.c:530: warning: implicit declaration of function ‘cl_buildtrie’
spp_clamav.c:537: error: invalid application of ‘sizeof’ to incomplete type ‘struct cl_limits’
spp_clamav.c:539: error: invalid use of undefined type ‘struct cl_limits’
spp_clamav.c:541: error: invalid use of undefined type ‘struct cl_limits’
spp_clamav.c:543: error: invalid use of undefined type ‘struct cl_limits’
spp_clamav.c:545: error: invalid use of undefined type ‘struct cl_limits’
spp_clamav.c:547: error: invalid use of undefined type ‘struct cl_limits’
spp_clamav.c: In function ‘ClamAVReloadDB’:
spp_clamav.c:580: warning: implicit declaration of function ‘cl_freetrie’
spp_clamav.c: In function ‘strip_http_headers_p’:
spp_clamav.c:650: warning: pointer targets in passing argument 1 of ‘strstr’ differ in signedness
/usr/include/string.h:340: note: expected ‘const char *’ but argument is of type ‘u_int8_t *’
spp_clamav.c:650: warning: pointer targets in assignment differ in signedness
spp_clamav.c:663: warning: pointer targets in passing argument 1 of ‘strstr’ differ in signedness
/usr/include/string.h:340: note: expected ‘const char *’ but argument is of type ‘u_int8_t *’
spp_clamav.c:663: warning: pointer targets in assignment differ in signedness
spp_clamav.c:678: warning: pointer targets in passing argument 1 of ‘strstr’ differ in signedness
/usr/include/string.h:340: note: expected ‘const char *’ but argument is of type ‘u_int8_t *’
spp_clamav.c:678: warning: pointer targets in assignment differ in signedness
spp_clamav.c:706: warning: pointer targets in passing argument 1 of ‘strstr’ differ in signedness
/usr/include/string.h:340: note: expected ‘const char *’ but argument is of type ‘u_int8_t *’
spp_clamav.c:706: warning: pointer targets in assignment differ in signedness
spp_clamav.c: In function ‘StoreAndScan’:
spp_clamav.c:877: warning: passing argument 4 of ‘cl_scandesc’ from incompatible pointer type
/usr/include/clamav.h:178: note: expected ‘const struct cl_engine *’ but argument is of type ‘struct cl_node *’
spp_clamav.c:877: warning: passing argument 5 of ‘cl_scandesc’ makes integer from pointer without a cast
/usr/include/clamav.h:178: note: expected ‘unsigned int’ but argument is of type ‘struct cl_limits *’
spp_clamav.c:877: error: too many arguments to function ‘cl_scandesc’
make[4]: *** [spp_clamav.o] Error 1
make[4]: se sale del directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors'
make[3]: *** [all-recursive] Error 1
make[3]: se sale del directorio `/usr/src/snort_inline-2.6.1.5/src/preprocessors'
make[2]: *** [all-recursive] Error 1
make[2]: se sale del directorio `/usr/src/snort_inline-2.6.1.5/src'
make[1]: *** [all-recursive] Error 1
make[1]: se sale del directorio `/usr/src/snort_inline-2.6.1.5'
make: *** [all] Error 2

pdta: con el ./configure --enable-flexresp2 si funciona pero con clamav NO. Me da este error
¿Que tengo que hacer o cambiar no hay nada en el google, por favor una ayuda.
este error me lo ha dado por lo menos desde que me inicie en ubuntu, es decir, no recuerdo bien, pero desde algunas distribuciones atrás
de ubuntu

Que versión de clamav estas utilizando? Probablemente sea muy nueva y por eso está fallando la compilación (la ultima versión de snort_inline salio hace mas de 2 años y medio, probablemente sea esa la razon). Además las nuevas versiones de snort ya llevan soporte de inline. Saludos.

Al fin pude solucionarlo. Me Instale la version de ubuntu 9.10 pero la de 32. Me hice una instalacion nueva y me fui a la pagina de debian y me descarge 3 paquetes
primero instalale este:
libkrb53_1.4.4-7etch7_i386.deb
despues este
libclamav2_0.90.1dfsg-4etch19_i386.deb
y por ultimo este
libclamav-dev_0.90.1dfsg-4etch19_i386.deb
pude compilar el snort_inline 2.6.1.5 así
./configure --enable-clamav --enable-flexresp2
make
make install
y todo a la primera
Ahora El problema es que no me para los virus del eicar test
como podria solucionarlo, que me los detectara us saludo
y Gracias condestation

Editado -- Sab Ene 16, 2010 3:08 pm --

Bueno Cambie de Tactica al instalar el snort me baje la version clamav0.90 la compile e instale y despues compile el snort_inline 2.6.1.5 y tambien he probado la 2.8.x.x la de sourceforget con exito pero no me para los virus del eicar. No se que hacer adjunto mi snort_inline.conf a ver que hago mal

# example Snort_inline configuration file
# Last modified 26 October, 2005
#
# Standard Snort configuration file modified for inline
# use. Most preprocessors currently do not work in inline
# mode, as such they are not included.
#

### Network variables
var HOME_NET any
var HONEYNET any
var EXTERNAL_NET any
var SMTP_SERVERS any
var TELNET_SERVERS any
var HTTP_SERVERS any
var SQL_SERVERS any
var DNS_SERVERS any

# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80

# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80

# Ports you do oracle attacks on
var ORACLE_PORTS 1521

#ports you want to look for SSH on
var SSH_PORTS 22

# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]

### As of snort_inline 2.2.0 we drop
### packets with bad checksums. We can
config checksum_mode: all

# Path to your rules files (this can be a relative path)
var RULE_PATH /etc/snort_inline/rules

# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop generic decode drops:
#
# config disable_decode_drops
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop drops on experimental TCP options
#
# config disable_tcpopt_experimental_drops
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop drops on obsolete TCP options
#
# config disable_tcpopt_obsolete_drops
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network. If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop drops on T/TCP alerts
#
# config disable_ttcp_drops
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop drops on all other TCPOption type events:
#
# config disable_tcpopt_drops
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
#
# Stop drops on invalid ip options
#
# config disable_ipopt_drops

# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem

# Configure Inline Resets
# ========================
#
# If running an iptables firewall with snort_inline we can now perform resets
# via a physical device we grab the indev from iptables and use this for the
# interface on which to send resets. This config option takes an argument for
# the src mac address you want to use in the reset packet. This way the bridge
# can remain stealthy. If the src mac option is not set we use the mac address
# of the indev device. If we don't set this option we will default to sending
# resets via raw socket, which needs an ipaddress to be assigned to the int.
# rejectdst rules will not work while using layer2resets as iptables does not
# give us the dst mac address.
#
# config layer2resets: 00:06:76:DD:5F:E3

# Configure Inline IPFW reinjection
# ==================================
#
# If running a FreeBSD IPFW firewall with snort_inline we can now reinject
# packets at the specified ipfw rule number. This config option only
# applies to packets that are matched with 'reinject' snort rule action.
# The supplied argumet is the ipfw rule number AT WHICH rule processing
# continues in the ipfw processing system after snort_inline has finished
# processing the packet. Care must be taken to avoid loops in ipfw.
#
# The following example tells snort_inline to reinject packets
# (that match against snort 'reinject' rules) back into the ipfw
# firewall AT rule number 5500:
#
# config ipfw_reinject_rule: 5500

###################################################
# Step #2: Configure dynamic loaded libraries
#
# If snort was configured to use dynamically loaded libraries,
# those libraries can be loaded here.
#
# Each of the following configuration options can be done via
# the command line as well.
#
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
#
# Load a specific dynamic preprocessor library from the install path
# (same as command line option --dynamic-preprocessor-lib)
#
# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
#
# Load all dynamic rules libraries from the install path
# (same as command line option --dynamic-detection-lib-dir)
#
# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
#
# Load a specific dynamic rule library from the install path
# (same as command line option --dynamic-detection-lib)
#
# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
#

### Preprocessors
# usage guidelines: if the plugin normalizes the packet so that the
# detection engine can better interpret the data, the plugin can be
# used with the snort_inline safely. If the plugin itself makes
# the alert decisions, then we have to modify it to drop packets.

# sticky-drop: drop all packets from the source of an attack for x number of seconds
# ----------------------------------------------------------------------------------
# For use in rule language and by the portscan2, clamav, and the sfportscan preprocessor to drop
# packets from attackers for x number of seconds because we don't like them messing with
# our stuff. Right now we only drop from source so if using the sticky-drop keyword make sure
# that the source of the attack is something you actually want to block.
#
# In the example below the first line tells stickydrop a max amount of entries for memory allocation
# In addition the first line tells stickydrop to log droped packets to the snort log dir stickyd.log
#
# The second line specifies timeouts for the two currently supported portscan preprocs and clamav
#
# The third line tells which sources to never drop, it is very, very important to add your home net
# and you dns servers to this list.
#
#example:
#preprocessor stickydrop: max_entries 3000,log
#preprocessor stickydrop-timeouts: sfportscan 3000, portscan2 3000, clamav 3000
#preprocessor stickydrop-ignorehosts: 192.168.0.0/24 192.168.1.12 192.168.1.13

# bait-and-switch: Attempt to do stealthy reroutes of an attacker to a honeypot for x number of seconds
# ----------------------------------------------------------------------------------
# For use in rule language
# reroute packets from attackers for x number of seconds because we don't like them messing with
# our stuff.
#
# In the example below the first line tells bait-and-switch a max amount of entries for memory allocation
# In addition the first line tells bait-and-switch to log droped packets to the snort log dir bands.log, and to insert reroute rules before anything else that may be in your postrouting/prerouting chains via insert_before
#
#
# The second line tells which sources to never reroute it is very, very important to add your home net
# and you dns servers to this list.
#
#example:
#preprocessor bait-and-switch: max_entries 200,log,insert_before
#preprocessor bait-and-switch-ignorehosts: 192.168.1.0/24

# Done by IPTables. Iptables assembles fragments when we use connection
# tracking; therefore, we don't have to use frag2
# preprocessor frag2

# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term, many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#

preprocessor flow: stats_interval 0 hash 2

# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules. Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc. Can statefully detect various portscan
# types, fingerprinting, ECN, etc.

# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
#
# min_ttl [number] - set a minium ttl that snort will accept to
# stream reassembly
#
# ttl_limit [number] - differential of the initial ttl on a session versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number] bytes
# log_flushed_streams - if an event is detected on a stream this option will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
#
# stream4inline - This forces stream4 to do packet reassembly on a sliding window, what this means
# is that we are doing reassembly in real-time, and no more of this postmortem uberpacket
# creation alert but can't drop non-sense. Be careful though we are performing
# session drops so this means that this option has to be used in conjunction with enforce_state
# to be effective otherwise what is the point. We are pretty sure we break the replace keyword
# with this one, so be careful.
#
# Stream4inline options:
# truncate: truncates a stream instead of flushing it when memcap is reached.
# truncate_percentage: set the percentage to cut off of the stream when we truncate (default 33).
# window_size: size in bytes of the sliding window (default: 7000).
# scan_stream_only: if set will only scan the stream and not both the reassembled stream and the individual packet
#
# state_file: /path/to/file you can tell stream4inline where to store your state file at exit. If enforce_state
# is enabled this means that when you restart snort your valid sessions won't be dropped.*EXPERIMENTAL*
#
# norm_window: normalize the TCP window - disabled by default. This is to protect Snort_inline
# from being forced to queue too many packets.
# max_win_size: maximum size of the scaled TCP window. Packets increasing the window beyond the
# limit are modified.
#
# max_ooo_pkts: maximum number of concurrent Out of order packets in a stream.
# max_ooo_bytes: maximum number of concurrent Out of order bytes in a stream.
# max_seq_holes: maximum number of concurrent Sequence number holes in a stream.
#
# disable_ooo_pkts_drop: disable drop for packets breaking out of order packet limits
# disable_ooo_bytes_drop: disable drop for packets breaking out of order bytes limits
# disable_ooo_sequence_drop: disable drop for packets breaking sequence num hole limits
# disable_evasive_rts_drop: disable evasive retransmission drops
# disable_oow_drop: disable out of window drops
#
# disable_proto_violation_drops: disable all protocol violation drops (does not disable normscale)
#
# disable_ooo_alerts: disable alerts for streams breaking the Out of order limits
#
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap

#preprocessor stream4: disable_evasion_alerts

#Stream4 with inline support example
#
preprocessor stream4: disable_evasion_alerts, \
stream4inline, \
enforce_state drop, \
memcap 134217728, \
timeout 3600, \
truncate, \
window_size 3000

# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection only
# serveronly - reassemble traffic for the server side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
# and 513
# favor_new used the most recent data of retransmissions. Most OS' work
# this way.
#
preprocessor stream4_reassemble: both, favor_new

# ClamAV virusscanning preprocessor
#
# This preprocessor will scan the data in the packets for virusses.
# See README.clamav for details and limitations.
#
# Available options (comma delimited):
#
# ports: a space delimited list of ports that will be scanned.
# all: all ports
# n : single port to be scanned
# !n : not scan port n (to be used with 'all')
#
# toclientonly: scan only the traffic to the client (tcp only)
# toserveronly: scan only the traffic to the server (tcp only)
#
# action-drop : drop the infected packet (snort_inline only)
# action-reset: reset the connection (snort_inline only)
#
# dbdir: path to the clamav definitions directory.
#
# dbreload-time: time in seconds to refresh the read of the AV signatures
#
# descriptor-temp-dir: sets the directory where we write the packet
# buffer for scanning of viri. Defaults to /tmp once again MOUNT a
# tmpfs file system as not to kill performance.
#
# block-failed-scans: if clamav reports an error while scanning a packet
# block the packet. NOTE: this uses the action set by 'action-drop' or
# 'action-reset' so if that is not set it still only alerts!
#
# Example:
preprocessor clamav: ports all !22 !443, toclientonly, action-drop, dbdir /var/lib/clamav, dbreload-time 43200
#
#clamav: ports all !22 !443, toclientonly, dbdir /usr/share/clamav, dbreload-time 43200

preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252

preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500

# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size

preprocessor rpc_decode: 111 32771

# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
#
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected

preprocessor bo

# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic. It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.

#preprocessor telnet_decode

# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes telnet negotiation strings from telnet and
# ftp traffic. It looks for traffic that breaks the normal data stream
# of the protocol, replacing it with a normalized representation of that
# traffic so that the "content" pattern matching keyword can work without
# requiring modifications.
#
# It also performs protocol correctness checks for the FTP command channel,
# and identifies open FTP data transfers.
#
# FTPTelnet has numerous options available, please read
# README.ftptelnet for help configuring the options for the global
# telnet, ftp server, and ftp client sections for the protocol.

#####
# Per Step #2, set the following to load the ftptelnet preprocessor
# dynamicpreprocessor <full path to libsf_ftptelnet_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>

preprocessor ftp_telnet: global \
encrypted_traffic yes \
inspection_type stateful

preprocessor ftp_telnet_protocol: telnet \
normalize \
ayt_attack_thresh 200

# This is consistent with the FTP rules as of 18 Sept 2004.
# CWD can have param length of 200
# MODE has an additional mode of Z (compressed)
# Check for string formats in USER & PASS commands
# Check nDTM commands that set modification time on the file.
preprocessor ftp_telnet_protocol: ftp server default \
def_max_param_len 100 \
alt_max_param_len 200 { CWD } \
cmd_validity MODE < char ASBCZ > \
cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
telnet_cmds yes \
data_chan

preprocessor ftp_telnet_protocol: ftp client default \
max_resp_len 256 \
bounce yes \
telnet_cmds yes

# smtp: SMTP normalizer, protocol enforcement and buffer overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes SMTP commands by removing extraneous spaces.
# It looks for overly long command lines, response lines, and data header lines.
# It can alert on invalid commands, or specific valid commands. It can optionally
# ignore mail data, and can ignore TLS encrypted data.
#
# It also performs protocol correctness checks for the FTP command channel,
# and identifies open FTP data transfers.
#
# SMTP has numerous options available, please read README.smtp for help
# configuring options.

#####
# Per Step #2, set the following to load the smtp preprocessor
# dynamicpreprocessor <full path to libsf_smtp_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>

preprocessor smtp: \
ports { 25 } \
inspection_type stateful \
normalize cmds \
normalize_cmds { EXPN VRFY RCPT } \
alt_max_command_line_len 260 { MAIL } \
alt_max_command_line_len 300 { RCPT } \
alt_max_command_line_len 500 { HELP HELO ETRN } \
alt_max_command_line_len 255 { EXPN VRFY }


# sfPortscan
# ----------
# Author: Dan Roelker
# Portscan detection module. Detects various types of portscans and
# portsweeps. For more information on detection philosophy, alert types,
# and detailed portscan information, please refer to the README.sfportscan.
#
# -configuration options-
# proto { tcp udp icmp ip_proto all }
# The arguments to the proto option are the types of protocol scans that
# the user wants to detect. Arguments should be separated by spaces and
# not commas.
# scan_type { portscan portsweep decoy_portscan distributed_portscan all }
# The arguments to the scan_type option are the scan types that the
# user wants to detect. Arguments should be separated by spaces and not
# commas.
# sense_level { low|medium|high }
# There is only one argument to this option and it is the level of
# sensitivity in which to detect portscans. The 'low' sensitivity
# detects scans by the common method of looking for response errors, such
# as TCP RSTs or ICMP unreachables. This level requires the least
# tuning. The 'medium' sensitivity level detects portscans and
# filtered portscans (portscans that receive no response). This
# sensitivity level usually requires tuning out scan events from NATed
# IPs, DNS cache servers, etc. The 'high' sensitivity level has
# lower thresholds for portscan detection and a longer time window than
# the 'medium' sensitivity level. Requires more tuning and may be noisy
# on very active networks. However, this sensitivity levels catches the
# most scans.
# memcap { positive integer }
# The maximum number of bytes to allocate for portscan detection. The
# higher this number the more nodes that can be tracked.
# logfile { filename }
# This option specifies the file to log portscan and detailed portscan
# values to. If there is not a leading /, then snort logs to the
# configured log directory. Refer to README.sfportscan for details on
# the logged values in the logfile.
# watch_ip { Snort IP List }
# ignore_scanners { Snort IP List }
# ignore_scanned { Snort IP List }
# These options take a snort IP list as the argument. The 'watch_ip'
# option specifies the IP(s) to watch for portscan. The
# 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
# Note that these hosts are still watched as scanned hosts. The
# 'ignore_scanners' option is used to tune alerts from very active
# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
# specifies the IP(s) to ignore as scanned hosts. Note that these hosts
# are still watched as scanner hosts. The 'ignore_scanned' option is
# used to tune alerts from very active hosts such as syslog servers, etc.
#
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { low }

# DCE/RPC
#----------------------------------------
#
# The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
# It is primarily interested in DCE/RPC data, and only decodes SMB
# to get at the DCE/RPC data carried by the SMB layer.
#
# Currently, the preprocessor only handles reassembly of fragmentation
# at both the SMB and DCE/RPC layer. Snort rules can be evaded by
# using both types of fragmentation; with the preprocessor enabled
# the rules are given a buffer with a reassembled SMB or DCE/RPC
# packet to examine.
#
# At the SMB layer, only fragmentation using WriteAndX is currently
# reassembled. Other methods will be handled in future versions of
# the preprocessor.
#
# Autodetection of SMB is done by looking for "\xFFSMB" at the start of
# the SMB data, as well as checking the NetBIOS header (which is always
# present for SMB) for the type "SMB Session".
#
# Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
# checked in the packet. Assuming that the data is a DCE/RPC header,
# one byte is checked for DCE/RPC version (5) and another for the type
# "DCE/RPC Request". If both match, the preprocessor proceeds with that
# assumption that it is looking at DCE/RPC data. If subsequent checks
# are nonsensical, it ends processing.
#
# DCERPC has numerous options available, please read README.dcerpc for help
# configuring options.

#####
# Per Step #2, set the following to load the dcerpc preprocessor
# dynamicpreprocessor <full path to libsf_dcerpc_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dcerpc_preproc.so>

preprocessor dcerpc: \
autodetect \
max_frag_size 3000 \
memcap 100000

# DNS
#----------------------------------------
# The dns preprocessor (currently) decodes DNS Response traffic
# and detects a few vulnerabilities.
#
# DNS has a few options available, please read README.dns for
# help configuring options.

#####
# Per Step #2, set the following to load the dns preprocessor
# dynamicpreprocessor <full path to libsf_dns_preproc.so>
# or use commandline option
# --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>

preprocessor dns: \
ports { 53 } \
enable_rdata_overflow

# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual. You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
#
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000

### Logging alerts of outbound attacks
output alert_full: snort_inline-full
output alert_fast: snort_inline-fast

### If you want to log the contents of the dropped packets, remove comment
#output log_tcpdump: tcpdump.log

# Include classification & priority settings
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config

### The Drop Rules
# Enabled
include $RULE_PATH/exploit.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/nntp.rules

### Disabled
include $RULE_PATH/other-ids.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/spyware-put.rules

### Bleeding Rules
# include $RULE_PATH/bleeding.rules
# include $RULE_PATH/bleeding-attack_response.rules
# include $RULE_PATH/bleeding-botcc.rules
# include $RULE_PATH/bleeding-dos.rules
# include $RULE_PATH/bleeding-dshield.rules
# include $RULE_PATH/bleeding-exploit.rules
# include $RULE_PATH/bleeding-game.rules
# include $RULE_PATH/bleeding-inappropriate.rules
# include $RULE_PATH/bleeding-malware.rules
# include $RULE_PATH/bleeding-p2p.rules
# include $RULE_PATH/bleeding-policy.rules
# include $RULE_PATH/bleeding-scan.rules
# include $RULE_PATH/bleeding-virus.rules
# include $RULE_PATH/bleeding-voip.rules
# include $RULE_PATH/bleeding-web.rules

VENGA una ayudita por favor Estoy en Ubuntu 9.10 X64