If anyone is interested, I've posted some snort 2.4.4 and libmysqlclient 5.0.18 packages and libs for RC5 at http://www.xmission.com/~fidelis/openwrt/packages/.

They were built using the latest SDK but they aren't tested so who knows? they may brick your router.

Hope someone finds them useful.

BTW OpenWRT team: Thanks for all the hard work; I've been having loads of fun for the last week and a half.

-sojourner

Can you send us a patch at <openwrt-devel AT openwrt DOT org> for your snort update and customizations?

Hi Nico.

For snort 2.4.4 the only thing I needed to do was remove all of the patches that were created for 2.3.3, change the Makefile version number and md5sm, and add a working startup script for snort and snort-wireless. I'll send you a tarball of my package/snort* folders.

-sojourner

Hi,

Thanks for posting these. I've just been playing with your release, trying to find the right combination of rules and preprocessors which would use less memory than I had installed on my WRT54GS

Here's what eventually settled on, after much experimentation. This is using the PR ruleset from snort.org

preprocessors:  flow, frag3, stream4 (with memcap 1M), http_inspect, rpc_decode, bo, telnet_decode, sfportscan (with memcap 2M)

all the standard rules minus: web-*.rules, smtp, imap, pop2, pop3, nntp, other-ids

Also: config detection: search-method lowmem

I don't claim to be a snort expert, but this seems to work OK with about 20MB of memory usage.

VmSize:    21208 kB
VmLck:         0 kB
VmRSS:     15624 kB
VmData:    19348 kB
VmStk:        68 kB
VmExe:       584 kB
VmLib:      1012 kB

I tried installing these packages however it won't connet to my mySQL server and i get the following eror message in my syslog

 FATAL ERROR: database: mysql_error: Can't connect to MySQL server on '192.168.1.104' (146)

as far as i know all my permissions are correct on my database.

ps double check that mysql is listening for remote connections 

on a remote host nmap mysql servers ip  -p 3306

if its closed most default mysql setups are locked to local ip only

check what /etc/mysql/my.cnf  says 

specifficaly
bind-address        = 0.0.0.0   <my config>

i was messin with this aswell but still for the life of me couildnt get snort/mysql to work

pluss usiong just regular setup (no mysql) i get

ERROR:
[!] ERROR: Can not get write access to logging directory "".
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)

yes /var/log/snort  exist pluss i have it mounted to a remote fs via shfsmount

this is really racking my brain

(Last edited by jimmyridge on 24 Feb 2008, 12:59)