Snort mailing list archives
Tip: Building Snort 2.2.0 under 64-bit Sun sparc sol9
From: "Jacques Brierre" <jbrierre () Lanier com>
Date: Mon, 11 Oct 2004 10:46:29 -0400
This is a heads-up/FYI for building snort on 64-bit sparc solaris 9. I had to spend a day at it - unexpectedly (but this is not a complaint.) There were 3 hurdles to overcome. Google helped --A LOT (of course!) Cheers! I hope this helps someone. Thanks to all posters and contributors to this site. I am learning a whole lot from you. Limitations: 1) these may not the most elegant or complete methods. I needed it to work this weekend! 2) there may be more problems not yet encountered - only the problems listed were resolved. 3) this is for a Sun/Solaris 9 64 bit system. Had I been running 32 bit mode, i might have encountered different or no problems. My system: SunOS 5.9 sun4u sparc SUNW,Ultra-2 Memory size: 512 Megabytes 2 sparcv9 processors / 168 MHz gcc version 3.4.2 --- problems and resolution --- 1- libpcap ./configure error generated: checking for pcap_datalink in -lpcap... no ERROR! Libpcap library/headers not found, go get it from http://www.tcpdump.org or use the --with-libpcap-* options, if you have it installed in unusual place -bash-3.00$ hint: in configure.log configure:5826: checking for pcap_datalink in -lpcap configure:5859: gcc -o conftest -g -O2 -Wall -DBSD_COMP -D_REENTRANT -I/usr/local/include/ -L/usr/local/lib/ conftest.c -lpcap -lm -lsocket -lnsl >&5 ld: warning: file /usr/local/lib//libpcap.a(pcap.o): wrong ELF class: ELFCLASS64 Undefined first referenced symbol in file pcap_datalink /var/tmp//ccM9VScB.o ld: fatal: Symbol referencing errors. No output written to conftest problem: linker not set for 64-bit mode Fix: force gcc to 64-bit mode sudo env CC="gcc -m64" sh ./configure --with-mysql=/usr/local/mysql result: worked for me. credit: http://pari.math.u-bordeaux.fr/archives/pari-dev-0310/msg00039.html 2. libpcre compile stops with the last instruction: gcc -m64 -g -O2 -Wall -L/usr/local/lib/ -L/usr/local/lib/ -L/usr/local/mysql/lib -o snort codes.o debug.o decode.o log.o mstring.o parser.o plugbase.o snort.o snprintf.o strlcatu.o strlcpyu.o tag.o ubi_BinTree.o ubi_SplayTree.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o output-plugins/libspo.a detection-plugins/libspd.a preprocessors/libspp.a preprocessors/flow/portscan/libportscan.a preprocessors/flow/libflow.a parser/libparser.a preprocessors/HttpInspect/libhttp_inspect.a sfutil/libsfutil.a -lz -lpcre -lpcap -lm -lsocket -lnsl -lmysqlclient Undefined first referenced symbol in file IXDR_GET_LONG detection-plugins/libspd.a(sp_rpc_check.o) ld: fatal: Symbol referencing errors. No output written to snort collect2: ld returned 1 exit status make[3]: *** [snort] Error 1 make[3]: Leaving directory `/data/sol9/arch/snort-2.2.0/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/data/sol9/arch/snort-2.2.0/src' problem/fix/credit: From: http://archives.neohapsis.com/archives/snort/2004-04/0674.html I figured this one out, with help from George. Posting it so that I can find it again once I run into this issue a year from now. The only place in the code where I saw IXDR_GET_LONG being referenced was in detection-plugins/sp_rpc_check.c As far as the includes, this symbol was only defined in rpc/xdr.h (which George pointed out), but this file wasn't included in the snort source. After trying (unsuccessfully) to "#include <rpc/xdr.h>" at the top of sp_rpc_check.c, I just took the part where this symbol is defined in xdr.h and threw it into sp_rpc_check.c: "#define IXDR_GET_LONG(buf) ((long)ntohl((ulong_t)*(buf)++))". After that, no issues... -G- 3) libpcre (just when you thought all was well...) -bash-3.00$ sudo /usr/local/bin/snort -vde Password: ld.so.1: /data/local/bin/snort: fatal: libpcre.so.0: open failed: No such file or directory Killed -bash-3.00$ -bash-3.00$ ldd /usr/local/bin/snort libz.so.1 => /usr/lib/64/libz.so.1 libpcre.so.0 => (file not found) libm.so.1 => /usr/lib/64/libm.so.1 libsocket.so.1 => /usr/lib/64/libsocket.so.1 libnsl.so.1 => /usr/lib/64/libnsl.so.1 libc.so.1 => /usr/lib/64/libc.so.1 libdl.so.1 => /usr/lib/64/libdl.so.1 libmp.so.2 => /usr/lib/64/libmp.so.2 /usr/platform/SUNW,Ultra-2/lib/sparcv9/libc_psr.so.1 -bash-3.00$ -bash-3.00$ truss -f -r all -v all -w all /usr/local/bin/snort 9328: execve("/data/local/bin/snort", 0xFFFFFFFF7FFFFCD8, 0xFFFFFFFF7FFFFCE8) argc = 1 9328: mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFFFFFFFF7F500000 9328: resolvepath("/data/local/bin/snort", "/data/local/bin/snort", 1023) = 21 9328: resolvepath("/usr/lib/sparcv9/ld.so.1", "/usr/lib/sparcv9/ld.so.1", 1023) = 24 9328: stat("/data/local/bin/snort", 0xFFFFFFFF7FFFF948) = 0 9328: d=0x000000200000001F i=8356 m=0100755 l=1 u=0 g=1 sz=2769560 9328: at = Oct 11 01:52:52 EDT 2004 [ 1097473972 ] 9328: mt = Oct 11 01:44:43 EDT 2004 [ 1097473483 ] 9328: ct = Oct 11 01:44:44 EDT 2004 [ 1097473484 ] 9328: bsz=8192 blks=5440 fs=ufs 9328: open("/var/ld/64/ld.config", O_RDONLY) Err#2 ENOENT 9328: stat("/usr/lib/64/libz.so.1", 0xFFFFFFFF7FFFF040) = 0 9328: d=0x0000002000000010 i=231619 m=0100755 l=1 u=0 g=2 sz=71112 9328: at = Oct 11 01:52:27 EDT 2004 [ 1097473947 ] 9328: mt = Oct 13 11:39:43 EDT 2003 [ 1066059583 ] 9328: ct = Oct 2 19:56:09 EDT 2004 [ 1096761369 ] 9328: bsz=8192 blks=140 fs=ufs 9328: open("/usr/lib/64/libz.so.1", O_RDONLY) = 3 9328: mmap(0x00100000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_ALIGN, 3, 0) = 0xFFFFFFFF7F400000 9328: mmap(0x00100000, 1114112, PROT_NONE, MAP_PRIVATE|MAP_NORESERVE|MAP_ANON|MAP_ALIGN, -1, 0) = 0xFFFFFFFF7F200000 9328: mmap(0xFFFFFFFF7F200000, 52630, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFFFFFFFF7F200000 9328: mmap(0xFFFFFFFF7F30C000, 11448, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 49152) = 0xFFFFFFFF7F30C000 9328: munmap(0xFFFFFFFF7F20E000, 1040384) = 0 9328: resolvepath("/usr/lib/sparcv9/libz.so.1", "/usr/lib/sparcv9/libz.so.1", 1023) = 26 9328: memcntl(0xFFFFFFFF7F200000, 6768, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 9328: close(3) = 0 9328: stat("/usr/lib/64/libpcre.so.0", 0xFFFFFFFF7FFFF040) Err#2 ENOENT ld.so.1: /data/local/bin/snort: fatal: libpcre.so.0: open failed: No such file or directory 9328: write(2, 0xFFFFFFFF7F72E510, 92) = 92 9328: l d . s o . 1 : / d a t a / l o c a l / b i n / s n o r t : 9328: f a t a l : l i b p c r e . s o . 0 : o p e n f a i l e d 9328: : N o s u c h f i l e o r d i r e c t o r y\n 9328: munmap(0xFFFFFFFF7F400000, 8192) = 0 9328: lwp_self() = 1 -bash-3.00$ fix: # cd /usr/lib/64 # ln -s /usr/local/lib/libpcre* -bash-3.00$ ls -l libpcr* lrwxrwxrwx 1 root other 24 Oct 11 02:03 libpcre.a -> /usr/local/lib/libpcre.a lrwxrwxrwx 1 root other 25 Oct 11 02:03 libpcre.la -> /usr/local/lib/libpcre.la lrwxrwxrwx 1 root other 25 Oct 11 02:03 libpcre.so -> /usr/local/lib/libpcre.so lrwxrwxrwx 1 root other 27 Oct 11 02:03 libpcre.so.0 -> /usr/local/lib/libpcre.so.0 lrwxrwxrwx 1 root other 31 Oct 11 02:03 libpcre.so.0.0.1 -> /usr/local/lib/libpcre.so.0.0.1 -bash-3.00$ result: -bash-3.00$ ldd /usr/local/bin/snort libz.so.1 => /usr/lib/64/libz.so.1 libpcre.so.0 => /usr/lib/64/libpcre.so.0 libm.so.1 => /usr/lib/64/libm.so.1 libsocket.so.1 => /usr/lib/64/libsocket.so.1 libnsl.so.1 => /usr/lib/64/libnsl.so.1 libc.so.1 => /usr/lib/64/libc.so.1 libdl.so.1 => /usr/lib/64/libdl.so.1 libmp.so.2 => /usr/lib/64/libmp.so.2 /usr/platform/SUNW,Ultra-2/lib/sparcv9/libc_psr.so.1 -bash-3.00$ -bash-3.00$ sudo snort -vde Running in packet dump mode Log directory = /var/log/snort Initializing Network Interface hme0 --== Initializing Snort ==-- Initializing Output Plugins! Decoding Ethernet on interface hme0 --== Initialization Complete ==-- -*> Snort! <*- Version 2.2.0 (Build 30) By Martin Roesch (roesch () sourcefire com, www.snort.org) 10/11-02:07:54.775238 8:0:20:85:73:64 -> 0:5:2:9:BF:ED type:0x800 len:0x92 172.16.1.110:22 -> 172.16.1.100:50860 TCP TTL:60 TOS:0x0 ID:32202 IpLen:20 DgmLen:132 DF ***AP*** Seq: 0x237FC9B5 Ack: 0x1E383DA4 Win: 0xC050 TcpLen: 32 TCP Options (3) => NOP NOP TS: 20483282 3041158363 5C FA 6A 76 1E 09 A0 41 9F 27 94 89 8A CF 1D F0 \.jv...A.'...... 2C CD D2 D7 FB DF 25 B8 26 21 BF 84 F2 29 EE 2A ,.....%.&!...).* 96 2A FE 93 54 A8 C2 E5 7C E2 04 65 50 6E CD A8 .*..T...|..ePn.. 91 C6 BC AD D5 D8 E2 3D C3 49 90 93 0A FA 6E E3 .......=.I....n. ^C =============================================================================== Snort received 160 packets Analyzed: 160(100.000%) Dropped: 0(0.000%) =============================================================================== Breakdown by protocol: TCP: 160 (100.000%) UDP: 0 (0.000%) ICMP: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) =============================================================================== Action Stats: ALERTS: 0 LOGGED: 0 PASSED: 0 =============================================================================== Snort exiting -bash-3.00$ jacques brierre --- Lanier | Ricoh 973-882-2000 x6248 256-282-4911 - cell ---
Current thread:
- Tip: Building Snort 2.2.0 under 64-bit Sun sparc sol9 Jacques Brierre (Oct 11)