Snort mailing list archives
Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems
From: Ross Lawrie <ross () riverstyx net>
Date: Mon, 06 Dec 2010 09:07:40 -0800
On Fri, 2010-12-03 at 13:41 -0500, Russ Combs wrote:
If you are having problems installing the DAQ on *BSD systems, please give this patch a try. It fixes some automake foo and removes an unsupported automake sort. To apply: cd daq-0.4/ patch -p0 < daq-bsd.diff make distclean autoreconf Then configure, make, make install as usual. You should not need to --disable-ipfw-module or --disable-static.
Russ, Thanks for this. I'm sure I must be doing something wrong as I've had no luck with this patched version either. I've built a brand new OpenBSD 4.8 box to try and test this out on my side, nothing else installed on it at this point; however I'm still seeing the same problems. I've installed libpcap 1.1.1 (./configure && make && make install) and libdnet 1.12 (./configure && make && make install && ln -s /usr/local/lib/libdnet.1.1 /usr/local/lib/libdnet.so.1.1) with no issues (as far as I can see). I have tried with your patch and still receive an error from Snort on ./configure that it is unable to find daq if I remove '--disable-ipfw-module'. With that disabled in the configure, Snort will run through configure and make/make install, however it doesn't appear to build any .so files. During the make I still see these messages: *** Warning: This system can not link to static lib archive /usr/local/lib/libdaq_static.la. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** But as you try to build a module library, libtool will still create *** a static module, that should work as long as the dlopening application *** is linked with the -dlopen flag to resolve symbols at runtime. I should also note that when I try to run autoreconf as you suggested for the patched daq, I get this error: Provide an AUTOCONF_VERSION environment variable, please My configs are: DAQ-0.4: ./configure \ --with-libpcap-includes=/usr/local/include \ --with-libpcap-libraries=/usr/local/lib \ --with-dnet-includes=/usr/local/include \ --with-dnet-libraries=/usr/local/lib \ --disable-ipfw-module Snort 2.9.0.2: ./configure \ --sysconfdir=/etc/snort \ --with-daq-includes=/usr/local/include \ --with-daq-libraries=/usr/local/lib \ --with-libpcap-includes=/usr/local/include \ --with-libpcap-libraries=/usr/local/lib \ --with-dnet-libraries=/usr/local/lib \ --with-dnet-includes=/usr/local/include Off-topic, but if you still have the bounce error from your attempt to email me, could you forward it to me so I can check it out? Thanks, Ross.
Let me know how it goes. Thanks Russ FYI - Ross, your email address was bouncing yesterday (ross () riverstyx net). On Fri, Nov 5, 2010 at 1:29 PM, Ross Lawrie <ross () riverstyx net> wrote: On Fri, 2010-11-05 at 12:21 -0400, Russ Combs wrote: > > > On Fri, Nov 5, 2010 at 12:18 PM, Russ Combs <rcombs () sourcefire com> > wrote: > Did you configure Snort with --enable-dynamicplugin? > > Actually, that should have said try configuring with > --enable-dynamicplugin. > > Also, can you send your DAQ config.log and output of make when you > don't disable ipfw? > Hi Russ, I've tried adding --enable-dynamicplugin to my configure with the same result. Here's my current configure: ./configure \ --sysconfdir=/etc/snort \ --with-daq-includes=/usr/local/include \ --with-daq-libraries=/usr/local/lib \ --with-libpcap-includes=/usr/local/include \ --with-libpcap-libraries=/usr/local/lib \ --with-dnet-includes=/usr/local/include \ --with-dnet-libraries=/usr/local/lib \ --enable-perfprofiling \ --enable-ppm \ --enable-zlib \ --enable-dynamicplugin I've attched the config.logs for both Snort and DAQ (without the --disable-ipfw-module), and the make output for both. Ross. > > > On Fri, Nov 5, 2010 at 12:04 PM, Ross Lawrie > <ross () riverstyx net> wrote: > > > > On Fri, 2010-11-05 at 10:52 +0100, rmkml wrote: > > Hi Ross, > > Could you disable ipfw in daq please? > > If not work, please resend (snort) config.log. > > Regards > > Rmkml > > > > > > > > On Thu, 4 Nov 2010, Ross Lawrie wrote: > > > > > > > > On 2010-11-04, at 4:20 PM, Russ Combs wrote: > > > > > > > > > > > > On Thu, Nov 4, 2010 at 7:01 PM, Ross Lawrie > <ross () riverstyx net> wrote: > > > On Thu, 2010-11-04 at 18:18 -0400, > Russ Combs wrote: > > > > > > > > > > > > On Thu, Nov 4, 2010 at 6:12 PM, JJC > <cummingsj () gmail com> wrote: > > > > quickest way for you is to add this to > the snort ./configure > > > > options > > > > > > > > --disable-static-daq > > > > > > > > then when you start snort, add this: > > > > > > > > --daq-dir=/usr/local/lib/daq/ > > > > > > > > and voila > > > > > > > > The above is an excellent workaround. If you > want to debug farther: > > > > > > > > nm /usr/local/lib/libdaq_static.a | grep > daq_load_modules > > > > > > > > and send the output. I'm guessing that you will > see something like: > > > > > > > > 00000000000005ab T daq_load_modules > > > > > > > > Which means the symbol is there but isn't being > found by configure's > > > > test program. > > > > > > > > Let me know. > > > > > > > > > > > > > > > > JJC > > > > > > > > > > > > On Thu, Nov 4, 2010 at 3:38 PM, Ross > Lawrie > > > > <ross () riverstyx net> wrote: > > > > > Hi, > > > > > > > > > > I was hoping someone might be able to > offer some advice. > > > > I'm > > > > > encountered problems installing Snort > 2.9.0.1 on OpenBSD > > > > 4.8. I have > > > > > installed an updated libpcap (1.1.1), > libdnet (1.12) and DAQ > > > > (0.3) > > > > > without any obvious problems. DAQ > seems to install its > > > > libraries > > > > > correctly: > > > > > > > > > > ls -al /usr/local/lib/libdaq* > > > > > -rw-r--r-- 1 root wheel 40382 Nov > 4 14:26 libdaq.a > > > > > -rwxr-xr-x 1 root wheel 926 Nov > 4 14:26 libdaq.la > > > > > -rwxr-xr-x 1 root wheel 37400 Nov > 4 14:26 libdaq.so.0.1 > > > > > -rw-r--r-- 1 root wheel 41460 Nov > 4 14:26 > > > > libdaq_static.a > > > > > -rwxr-xr-x 1 root wheel 907 Nov > 4 14:26 > > > > libdaq_static.la > > > > > -rw-r--r-- 1 root wheel 61164 Nov > 4 14:27 > > > > libdaq_static_modules.a > > > > > -rwxr-xr-x 1 root wheel 931 Nov > 4 14:27 > > > > libdaq_static_modules.la > > > > > > > > > > I'm able to run daq-modules-config and > confirm that it is in > > > > my path: > > > > > > > > > > daq-modules-config --static --libs > > > > > -L/usr/local/lib -ldaq_static_modules > > > > > > > > > > ldconfig sees the libdaq library: > > > > > > > > > > ldconfig -Rv /usr/local/lib 2>&1 | > grep daq > > > > > Adding /usr/local/lib/libdaq.so.0.1 > > > > > > > > > > However when I try to configure Snort > I receive this error: > > > > > > > > > > ... > > > > > checking for pcap_datalink in > -lpcap... yes > > > > > checking for pcap_lex_destroy... no > > > > > checking for pcap_lib_version... yes > > > > > checking pcre.h usability... yes > > > > > checking pcre.h presence... yes > > > > > checking for pcre.h... yes > > > > > checking for pcre_compile in -lpcre... > yes > > > > > checking for libpcre version 6.0 or > greater... yes > > > > > checking dnet.h usability... yes > > > > > checking dnet.h presence... yes > > > > > checking for dnet.h... yes > > > > > checking for eth_set in -ldnet... yes > > > > > checking for dlsym in -ldl... no > > > > > checking for dlsym in -lc... yes > > > > > checking for daq_load_modules in > -ldaq_static... no > > > > > > > > > > ERROR! daq_static library not > found, go get it from > > > > > http://www.snort.org/. > > > > > > > > > > The configure string I'm using for > Snort is: > > > > > > > > > > ./configure \ > > > > > --sysconfdir=/etc/snort \ > > > > > --with-daq-includes=/usr/local/include > \ > > > > > --with-daq-libraries=/usr/local/lib \ > > > > > > --with-libpcap-includes=/usr/local/include \ > > > > > > --with-libpcap-libraries=/usr/local/lib \ > > > > > > --with-dnet-includes=/usr/local/include \ > > > > > --with-dnet-libraries=/usr/local/lib > > > > > > > > > > I've seen some suggestion that > building DAQ without the ipfw > > > > module > > > > > could help, but I still encounter the > same issue. > > > > > > > > > > Appreciate any suggestions, > > > > > > > > > > Ross. > > > > > > > > > > > > > > > > > > Hi, > > > > > > JJC: that worked however it looks like Snort's not > > > > building /usr/local/lib/snort_dynamicengine/libsf_engine.so for some > > > reason now. > > > > > > Nov 4 15:48:19 snort[17745]: FATAL ERROR: > parser.c(5235) Could not stat > > > dynamic module path > > > > "/usr/local/lib/snort_dynamicengine/libsf_engine.so": > No such file or > > > directory. > > > > > > > > > Russ: You're right, the output looks much like you > anticipated: > > > > > > nm /usr/local/lib/libdaq_static.a | grep > daq_load_modules > > > 000008c0 T daq_load_modules > > > > > > I've attached two config.log files, one generated > when I try to include > > > the static daq libraries, and the other when I > configure without them. > > > > > > Definitely appreciate the help, I haven't had any > problems in the past > > > and this one just has me banging my head against > the wall. > > > > > > > > > OK, now try this: > > > > > > sudo ldconfig -p | grep daq > > > > > > Edit /etc/ld.so.conf and add a line > with /usr/local/lib. Then: > > > > > > sudo ldconfig -v | grep daq > > > > > > > > > ldconfig's not quite the same on OpenBSD, but I > can confirm that the directory containing daq > (/usr/local/lib) is already in the hints for ldconfig: > > > > > > ldconfig -rv | grep daq > > > search > directories: /usr/lib:/usr/X11R6/lib:/usr/local/lib:/usr/local/lib/daq:/usr/local/lib/snort_dynamicengine:/usr/local/lib/snort_dynamicpreprocessor > > > 112:-ldaq.0.1 > => /usr/local/lib/libdaq.so.0.1 > > > > > > Ross. > > > > > > > > > > > > How frustrating and embarrassing; I know that I tried > this several times > over the last few days as I'd seen it mentioned in one > of the few > threads I'd found with similar issues -- and I'd had > no results from it. > > Anyway, this time (with --disable-ipfw-module used for > DAQ 0.3) Snort > was able to configure and build. > > That said, I'm now encountering this issue when trying > to start Snort: > > FATAL ERROR: parser.c(5235) Could not stat dynamic > module path > "/usr/local/lib/snort_dynamicengine/libsf_engine.so": > No such file or > directory. > > > Sure enough, that file doesn't exist (no so files are > in either > snort_dynamicengine or snort_dynamicprocessor) and I > noticed this (or > similar) several times during the make: > > ... > /bin/sh ../../../libtool --tag=CC --mode=link gcc > -g -O2 > -fvisibility=hidden -fno-strict-aliasing -Wall > -shared -export-dynamic > -module -L/usr/local/lib -L/usr/local/lib > -Wl,-R/usr/local/lib -lpcre > -L/usr/local/lib -ldnet -L/usr/local/lib -o > libsf_engine.la > -rpath /usr/local/lib/snort_dynamicengine bmh.lo > sf_snort_detection_engine.lo sf_snort_plugin_api.lo > sf_snort_plugin_byte.lo sf_snort_plugin_content.lo > sf_snort_plugin_hdropts.lo sf_snort_plugin_loop.lo > sf_snort_plugin_pcre.lo sf_snort_plugin_rc4.lo > sfhashfcn.lo sfghash.lo > sfprimetable.lo sf_ip.lo -ldaq_static -lpcre -lpcap > -lm -lm > -L/usr/local/lib -ldaq_static_modules > > > *** Warning: This system can not link to static lib > archive /usr/local/lib/libdaq_static.la. > *** I have the capability to make that library > automatically link in > when > *** you link to this library. But I can only do this > if you have a > *** shared version of the library, which you do not > appear to have. > *** But as you try to build a module library, libtool > will still create > *** a static module, that should work as long as the > dlopening > application > *** is linked with the -dlopen flag to resolve symbols > at runtime. > libtool: link: ar > cru .libs/libsf_engine.a .libs/bmh.o .libs/sf_snort_detection_engine.o .libs/sf_snort_plugin_api.o .libs/sf_snort_plugin_byte.o .libs/sf_snort_plugin_content.o .libs/sf_snort_plugin_hdropts.o .libs/sf_snort_plugin_loop.o .libs/sf_snort_plugin_pcre.o .libs/sf_snort_plugin_rc4.o .libs/sfhashfcn.o .libs/sfghash.o .libs/sfprimetable.o .libs/sf_ip. > ... > > I've attached my config.log in case it provides > insight. > > Ross. > > > ------------------------------------------------------------------------------ > The Next 800 Companies to Lead America's Growth: New > Video Whitepaper > David G. Thomson, author of the best-selling book > "Blueprint to a > Billion" shares his insights and actions to help > propel your > business during the next growth cycle. Listen Now! > http://p.sf.net/sfu/SAP-dev2dev > _______________________________________________ > Snort-users mailing list > Snort-users () lists sourceforge net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > > > ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ What happens now with your Lotus Notes apps - do you make another costly upgrade, or settle for being marooned without product support? Time to move off Lotus Notes and onto the cloud with Force.com, apps are easier to build, use, and manage than apps on traditional platforms. Sign up for the Lotus Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems, (continued)
- Message not available
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Russ Combs (Dec 03)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Randal T. Rioux (Dec 04)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Joel Esler (Dec 05)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Russ Combs (Dec 06)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Randal T. Rioux (Dec 11)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems JJ Cummings (Dec 12)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Ross Lawrie (Dec 10)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Russ Combs (Dec 10)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems JJC (Dec 10)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Randal T. Rioux (Dec 11)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Ross Lawrie (Dec 06)
- Re: Snort 2.9.0.1 & OpenBSD 4.8 build problems Russ Combs (Dec 06)