maybe I ran it once without the -T and it touched the so_stuff?
I just tried the following and I am still getting the snort segfaults only when PP tries to HUP - snort runs ok if I kick it off when it is not running:
- moved the entire snort dir and PP dir out of the way (renamed)
- built from source snort 2.9.0.5 and put the conf files in /etc/snort
- created rules dirs: mkdir /etc/snort/rules -and- mkdir /etc/snort/so_rules
- untar'd PP 0.6.0 and moved it all to: /etc/snort/pulledpork
- edited pulledpork.conf for my setup (everything is the same from my PP0.5.0 conf)
- edited snort.conf for my setup (looks at snort.rules file that PP generates and all other rules commented)
- untar'd snort rules: snortrules-snapshot-2904.tar.gz
- copied extracted rules to snort dirs:
-- cp /rules/* /etc/snort/rules
-- cp -r /preproc_rules/ /etc/snort/
-- cp /so_rules/precompiled/Centos-5-4/i386/
2.9.0.4/* /etc/snort/so_rules/
- so I am putting the precompiled so_rules in place before I run PP for the first time
- I then run PP without the HUP so that it can create the snort.rules file:
-- /etc/snort/pulledpork/
pulledpork.pl -l -T -c /etc/snort/pulledpork/etc/pulledpork.conf -i /etc/snort/pulledpork/etc/disablesid.conf
- I then start snort manually and everything is ok
- I then run PP with the -H and it causes snort to segfault
something must be left over from the previous installation either with snort or with PP - this should be a clean slate but apparently it is not.
I will do this again but will wipe the box completely first which will surely catch whatever it is I am missing.
otherwise, is there something obvious I am missing in order to have a fresh, new snort and PP? While I admit that I don't fully understand shared object rules, I thought I had a fairly good handle on installation - I've installed snort/barnyard/PP/Base on clean boxes quite a few times now and I've never had this problem.