Snort mailing list archives
Re: 32bit snort rpm
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 02 Oct 2015 10:09:56 -0600
What's the end of your DAQ ./configure look like? I.E.: Build AFPacket DAQ module.. : yes Build Dump DAQ module...... : yes Build IPFW DAQ module...... : yes Build IPQ DAQ module....... : no Build NFQ DAQ module....... : no Build PCAP DAQ module...... : yes Build netmap DAQ module.... : no James On 2015-10-02 09:56 AM, Lamont, Brian A. wrote:
-T without --daq pcap showed no errors. Changing to -D still complained about missing --daq pcap -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Friday, October 02, 2015 8:46 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] 32bit snort rpm Drop the --daq pcap as that's the default anyway. In a console try: /usr/local/bin/snort -T -u snort -g snort -c /etc/snort/snort.conf Should run a test and give you any errors, if none then change your -T to -D. James On 2015-10-02 09:28 AM, Lamont, Brian A. wrote:I have. I export the library path first, then run the full snort command below. You suppose there’s a flub with the library path, something not listed? /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf --daq pcap; FROM: Al Lewis (allewi) [mailto:allewi () cisco com] SENT: Thursday, October 01, 2015 4:29 PM TO: Lamont, Brian A. CC: snort-users () lists sourceforge net SUBJECT: RE: [Snort-users] 32bit snort rpm I would test that you can run it manually first. Then create a script. Albert Lewis QA Software Engineer SOURCEFIRE, Inc. now part of CISCO 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com] SENT: Thursday, October 01, 2015 6:49 PM TO: Al Lewis (allewi) CC: snort-users () lists sourceforge net SUBJECT: RE: [Snort-users] 32bit snort rpm We have a startup script. ------------------------------- #!/bin/sh case $1 in 'start') LD_LIBRARY_PATH=/opt/snort-build/lib:/usr/local/lib:/usr/local/lib/sno rt_dynamicpreprocessor:/usr/local/lib/snort_dynamicengine:/usr/local/l ib; export LD_LIBRARY_PATH; /usr/local/bin/snort -D -u snort -g snort -c /etc/snort/snort.conf --daq pcap; ;; 'stop') kill -1 `ps -ef | grep snort | grep -v grep | awk '{print $2}'` ;; *) echo "Usage: $0 start|stop" >&2 exit 1 ;; esac exit 0 FROM: Al Lewis (allewi) [mailto:allewi () cisco com] SENT: Thursday, October 01, 2015 3:44 PM TO: Lamont, Brian A. CC: snort-users () lists sourceforge net SUBJECT: RE: [Snort-users] 32bit snort rpm How are you starting snort to get that error? Albert Lewis QA Software Engineer SOURCEFIRE, Inc. now part of CISCO 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com] SENT: Thursday, October 01, 2015 6:14 PM TO: Stephen Gantz CC: Al Lewis (allewi); snort-users () lists sourceforge net SUBJECT: RE: [Snort-users] 32bit snort rpm Ok I cleared up the RULE_PATH variable since it had not referenced the correct directory. Now I can’t find daq or pcap at snort startup. 15 x88022 snort[16459]: +---------------------------------------------------------------- Oct 1 14:48:15 x88022 snort[16459]: [ Number of patterns truncated to 20 bytes: 24 ] Oct 1 14:48:15 x88022 snort[16459]: FATAL ERROR: Can't find pcap DAQ! IN /USR/BIN I HAVE: daq-modules-config -> /opt/snort-build/bin/daq-modules-config IN /USR/SBIN: pcap-config -> /opt/snort-build/bin/pcap-config FOR LIBDNET: [root@x88022 sbin]# ls -al /usr/local/lib/libdnet.1 lrwxrwxrwx 1 root root 13 Sep 14 13:58 /usr/local/lib/libdnet.1 -> libdnet.1.0.1 [root@x88022 sbin]# ls -al /opt/snort-build/lib/libdnet* lrwxrwxrwx 1 root root 24 Oct 1 15:01 libdnet.1 -> /usr/local/lib/libdnet.1 [ROOT@X88022 LIB]# LDD /USR/LOCAL/BIN/SNORT linux-gate.so.1 => (0x00655000) libdnet.1 => /usr/local/lib/libdnet.1 (0x00e79000) libpcre.so.0 => /lib/libpcre.so.0 (0x0066e000) libnsl.so.1 => /lib/libnsl.so.1 (0x00c2a000) libuuid.so.1 => /lib/libuuid.so.1 (0x004e3000) libm.so.6 => /lib/libm.so.6 (0x00159000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x078b5000) libdl.so.2 => /lib/libdl.so.2 (0x00699000) libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x007a4000) libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00a93000) libz.so.1 => /lib/libz.so.1 (0x006a0000) libpthread.so.0 => /lib/libpthread.so.0 (0x006b5000) libc.so.6 => /lib/libc.so.6 (0x00182000) /lib/ld-linux.so.2 (0x004f1000) [root@x88022 lib]# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.7.5 GRE (Build 262) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team [4] Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 6.6 06-Feb-2006 Using ZLIB version: 1.2.3 FROM: Stephen Gantz [mailto:stephen.gantz () faculty umuc edu] SENT: Thursday, October 01, 2015 12:16 PM TO: Lamont, Brian A. CC: Al Lewis (allewi); snort-users () lists sourceforge net SUBJECT: Re: [Snort-users] 32bit snort rpm Try setting RULE_PATH to an absolute path instead of the relative one in snort.conf by default. Dr. Stephen D. Gantz CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO Professor of Information Assurance The Graduate School University of Maryland University College stephen.gantz () faculty umuc edu On Oct 1, 2015, at 2:55 PM, Lamont, Brian A. <Brian.Lamont () gd-ms com> wrote:This path exists on my 64 bit systems, /etc/snort/rules/local.rules but the one in the error below does not . And the rules directory on the 64 bit systems is full of rules, but I'm unable to find the default set in the build area, and community rules file is all find on the website. Oct 1 11:29:54 x88022 snort[10659]: FATAL ERROR: /etc/snort/../rules/local.rules(0) Unable to open rules file "/etc/snort/../rules/local.rules": No such file or directory. -----Original Message----- From: Al Lewis (allewi) [mailto:allewi () cisco com] Sent: Wednesday, September 30, 2015 4:43 PM To: Lamont, Brian A. Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] 32bit snort rpm Is this a copy paste error? "/usr/local/lib/libpcap.so.1 -> /opt/snort-build/lib" If not... I think your link is wrong. This---> /usr/local/lib/libpcap.so.1 Should link to your libpcap file and not the directory. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com] Sent: Wednesday, September 30, 2015 7:29 PM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] 32bit snort rpm Appears to be a library linkage that’s not right, and maybe it's obvious but I don't chase these issues much. So while I continue to look I'll send you what I have. Since we installed libpcap.so.1.7.4, I'm guessing we need to make sure libpcap.so.1 can find it. In the startup script I have LD_LIBRARY_PATH exported as follows: LD_LIBRARY_PATH=/opt/snort-build/lib:/usr/local/lib; export LD_LIBRARY_PATH; The error --- [root@x88022 rc3.d]# ./S99snortd start /usr/local/bin/snort: error while loading shared libraries: /usr/local/lib/libpcap.so.1: cannot read file data: Error 21 Links to libpcap.so.1 --- [root@x88022 ~]# ls -al /usr/local/lib/libpcap* lrwxrwxrwx 1 root root 20 Sep 29 14:42 /usr/local/lib/libpcap.so.1 -> /opt/snort-build/lib /opt/snort-build is where is built snort and all packages. --- [root@x88022 ~]# ls -al /opt/snort-build/lib/libpcap* -rw-r--r-- 1 root root 695832 Sep 29 14:06 /opt/snort-build/lib/libpcap.a lrwxrwxrwx 1 root root 12 Sep 29 14:06 /opt/snort-build/lib/libpcap.so -> libpcap.so.1 lrwxrwxrwx 1 root root 16 Sep 29 14:06 /opt/snort-build/lib/libpcap.so.1 -> libpcap.so.1.7.4 -rwxr-xr-x 1 root root 520356 Sep 29 14:06 /opt/snort-build/lib/libpcap.so.1.7.4 [root@x88022 ~]# -----Original Message----- From: Al Lewis (allewi) [mailto:allewi () cisco com] Sent: Tuesday, September 29, 2015 3:05 PM To: Lamont, Brian A. Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] 32bit snort rpm Try running ldconfig or exporting the library path "export LD_LIBRARY_PATH=/usr/local/lib" before running snort Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com] Sent: Tuesday, September 29, 2015 6:02 PM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] 32bit snort rpm Got libpcap, daq and snort installed. Will see if it works tomorrow. I had built a snort rpm but after successful daq and libpcap install, it complained about unable to find libpcap and one other. [root@x88022 i386]# rpm -i snort-2.9.7.5-1.i386.rpm error: Failed dependencies: libpcap.so.1 is needed by snort-2.9.7.5-1.i386 libsfbpf.so.0 is needed by snort-2.9.7.5-1.i386 -----Original Message----- From: Al Lewis (allewi) [mailto:allewi () cisco com] Sent: Monday, September 28, 2015 5:22 PM To: Lamont, Brian A. Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] 32bit snort rpm I have it installed on RHEL 5.11. See below: [root@localhost snort-2.9.7.6]# /var/tmp/snort-2.9.6/bin/snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.7.6 GRE (Build 285) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team [4] Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.37 2015-04-28 Using ZLIB version: 1.2.3 [root@localhost snort-2.9.7.6]# uname -a Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Aug 12 06:26:57 EDT 2014 i686 i686 i386 GNU/Linux [root@localhost snort-2.9.7.6]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.11 (Tikanga) Hope this helps. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Al Lewis (allewi) Sent: Monday, September 28, 2015 7:34 PM To: Lamont, Brian A. Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] 32bit snort rpm Add "inlcude /usr/local/lib" to /etc/ld.so.conf. [root@localhost alewis]# ls -al /usr/local/lib/libpcap.so.1 lrwxrwxrwx 1 root root 16 Sep 28 18:49 /usr/local/lib/libpcap.so.1 -> libpcap.so.1.7.4 [root@localhost alewis]# ldconfig -v /usr/local/lib | grep pcap ldconfig: Can't stat inlcude /usr/local/lib: No such file or directory libpcap.so.1 -> libpcap.so.1.7.4 libpcap.so.0.9.4 -> libpcap.so.0.9.4 [root@localhost alewis]# You should be able to continue after that. I just did it with daq-2.0.5 Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com] Sent: Monday, September 28, 2015 6:57 PM To: jlay () slave-tothe-box net; snort-users () lists sourceforge net Subject: Re: [Snort-users] 32bit snort rpm Building in its own area sounds great, but I'm still not getting passed the make. . . config.status: creating pcap_set_tstamp_precision.3pcap config.status: creating pcap_set_tstamp_type.3pcap config.status: creating config.h config.status: config.h is unchanged config.status: executing default-1 commands [root@x88022 libpcap-1.7.4]# make gcc -fpic -I. -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -g -O2 -c ./pcap-dbus.c ./pcap-dbus.c: In function ‘dbus_write’: ./pcap-dbus.c:111: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function) ./pcap-dbus.c:111: error: (Each undeclared identifier is reported only once ./pcap-dbus.c:111: error: for each function it appears in.) ./pcap-dbus.c: In function ‘dbus_activate’: ./pcap-dbus.c:165: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function) make: *** [pcap-dbus.o] Error 1 -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Monday, September 28, 2015 2:24 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] 32bit snort rpm On 2015-09-28 02:12 PM, Lamont, Brian A. wrote: daq is still needing 1.0.0 back to the beginning it looks like.------checking for libpcap version >= "1.0.0"... noERROR! Libpcap library version >= 1.0.0 not found.Get it from http://www.tcpdump.org [1] [1]-----------So I found these options and ran it. But I'm not sure if it daq built"without" libpcap-1.0.0, and instead, or WITH the 1.7.4 library in/usr/local/lib, which seemed like a default but specified it anyway.Libpcap install config.log completed without errors. Do any of you seean issue with the way this built?./configure --disable-pcap-module--with-libpcap-libraries=/usr/local/libFROM: Lamont, Brian A.SENT: Monday, September 28, 2015 12:50 PMTO: Lamont, Brian A.; Al Lewis (allewi); Russ Combs (rucombs);Michael SteeleCC: snort-users () lists sourceforge netSUBJECT: RE: [Snort-users] 32bit snort rpmGot it to go with -enable-dbus=no.FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]SENT: Monday, September 28, 2015 12:39 PMTO: Al Lewis (allewi); Russ Combs (rucombs); Michael SteeleCC: snort-users () lists sourceforge netSUBJECT: Re: [Snort-users] 32bit snort rpmI uninstalled libpcap 1.0.0 using make uninstall. Please let me knowif this is complete clean removal. But during make install of version1.7 it errored below. Anyone seen this before?./pcap-dbus.c: In function 'dbus_write':./pcap-dbus.c:111: error: 'DBUS_ERROR_INIT' undeclared (first use inthis function)./pcap-dbus.c:111: error: (Each undeclared identifier is reported onlyonce./pcap-dbus.c:111: error: for each function it appears in.)./pcap-dbus.c: In function 'dbus_activate':./pcap-dbus.c:165: error: 'DBUS_ERROR_INIT' undeclared (first use inthis function)make: *** [pcap-dbus.o] Error 1FROM: Al Lewis (allewi) [mailto:allewi () cisco com]SENT: Monday, September 28, 2015 9:46 AMTO: Lamont, Brian A.; Russ Combs (rucombs); Michael SteeleCC: snort-users () lists sourceforge netSUBJECT: RE: [Snort-users] 32bit snort rpmTry this..Unistall libpcap.Then get it from tcpdump.org [2]http://www.tcpdump.org/#latest-release [3] [5]Libpcap version 1.7 is available.Albert LewisQA Software EngineerSOURCEFIRE, Inc. now part of CISCO9780 Patuxent Woods DriveColumbia, MD 21046Phone: (office) 443.430.7112Email: allewi () cisco comFROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]SENT: Monday, September 28, 2015 12:21 PMTO: Al Lewis (allewi); Russ Combs (rucombs); Michael SteeleCC: snort-users () lists sourceforge netSUBJECT: RE: [Snort-users] 32bit snort rpmTried that. And Redhat apparently does not have the 1.0.0 available,which is odd given the "…years ago…" reference below. It may be partof another channel we are not subscribed to so I will open a case withthem for that.This system is receiving updates from RHN Classic or RHN Satellite.Setting up Install ProcessPackage 14:libpcap-devel-0.9.4-15.el5.i386 already installed andlatest versionNothing to doFROM: Al Lewis (allewi) [mailto:allewi () cisco com]SENT: Monday, September 28, 2015 9:17 AMTO: Lamont, Brian A.; Russ Combs (rucombs); Michael SteeleCC: snort-users () lists sourceforge netSUBJECT: RE: [Snort-users] 32bit snort rpmFor redhat libpcap devel is:"yum install libpcap-devel"Albert LewisQA Software EngineerSOURCEFIRE, Inc. now part of CISCO9780 Patuxent Woods DriveColumbia, MD 21046Phone: (office) 443.430.7112Email: allewi () cisco comFROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]SENT: Monday, September 28, 2015 12:00 PMTO: Russ Combs (rucombs); Al Lewis (allewi); Michael Steele;snort-users () lists sourceforge netSUBJECT: RE: [Snort-users] 32bit snort rpmOk I'm back at this again. To recap, I'm trying to build snort 32biton rhel 5.11, but running in to dependency problems. While starting arpmbuild of daq, I started seeing errors. Below is what ldd snortshows on 64 linux. I found another site that suggested installinglibpcap-devel so that libpcap would build, then install daq, and thensnort. But I have not been able to find libpcap-devel source pkg todownload for Rhel 5 32bit.Here is how my install of libpcap-1.0.0 finishes and appears----------------------------------------------------------/usr/bin/install -c -m 644 ./$i \/usr/local/share/man/man3/$i; doneln /usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap \/usr/local/share/man/man3/pcap_datalink_val_to_description.3pcapln: creating hard link`/usr/local/share/man/man3/pcap_datalink_val_to_description.3pcap' to`/usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap': Fileexistsmake: *** [install] Error 1But my daq install errors unable to find libpcap---------------------------------------------------------checking for libpcap version >= "1.0.0"... noERROR! Libpcap library version >= 1.0.0 not found.Get it from http://www.tcpdump.org [1] [1][root@linux1 ~]# ldd /usr/local/bin/snortlinux-vdso.so.1 => (0x00007fffb7ffd000)libdnet.1 => /usr/lib64/libdnet.1 (0x00002ba25825d000)libpcre.so.0 => /lib64/libpcre.so.0 (0x00002ba25846d000)libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ba25868c000)libuuid.so.1 => /lib64/libuuid.so.1 (0x00002ba2588a5000)libm.so.6 => /lib64/libm.so.6 (0x00002ba258aa9000)libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002ba258d2c000)libdl.so.2 => /lib64/libdl.so.2 (0x00002ba25907f000)libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00002ba259283000)libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00002ba2594a6000)libz.so.1 => /lib64/libz.so.1 (0x00002ba2596e1000)libpthread.so.0 => /lib64/libpthread.so.0 (0x00002ba2598f5000)libc.so.6 => /lib64/libc.so.6 (0x00002ba259b11000)/lib64/ld-linux-x86-64.so.2 (0x00002ba25803f000)[root@linux1 ~]# snort -V,,_ -*> Snort! <*-o" )~ Version 2.9.7.0 GRE (Build 149)'''' By Martin Roesch & The Snort Team:http://www.snort.org/contact#team [4] [6]Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.Copyright (C) 1998-2013 Sourcefire, Inc., et al.USING LIBPCAP VERSION 1.6.2Using PCRE version: 6.6 06-Feb-2006Using ZLIB version: 1.2.3FROM: Russ [mailto:rucombs () cisco com]SENT: Tuesday, September 15, 2015 3:18 PMTO: Lamont, Brian A.; Al Lewis (allewi); Michael Steele;snort-users () lists sourceforge netSUBJECT: Re: [Snort-users] 32bit snort rpmOn 9/15/15 5:43 PM, Lamont, Brian A. wrote:So I'm a failure at building from the source rpm of daq, and prettydarn new to building rpms, so my next attempt below is to build fromsource, and that didn't go well.[root@x88022 snort]# rpmbuild --rebuild daq-2.0.6-1.src.rpmInstalling daq-2.0.6-1.src.rpmerror: unpacking of archive failed on file/usr/src/redhat/SOURCES/daq-2.0.6.tar.gz;55f88cd3: cpio: MD5 summismatcherror: daq-2.0.6-1.src.rpm cannot be installedFrom source:----------------[root@x88022 snort]# cd daq-2.0.6[root@x88022 daq-2.0.6]# vi README[root@x88022 daq-2.0.6]# ./configurechecking for a BSD-compatible install... /usr/bin/install -cchecking whether build environment is sane... yeschecking for a thread-safe mkdir -p... /bin/mkdir -pchecking for gawk... gawk.. …omitted....checking libnetfilter_queue/libnetfilter_queue.h presence... nochecking for libnetfilter_queue/libnetfilter_queue.h... nochecking for linux/netfilter.h... (cached) yeschecking for pcap.h... (cached) yeschecking for pcap_lib_version... checking for pcap_lib_version in-lpcap... (cached) yeschecking for libpcap version >= "1.0.0"... noERROR! Libpcap library version >= 1.0.0 not found.Get it from http://www.tcpdump.org [1] [1]Current version of libpcap - same version on 64bit hosts and theywork fine.---------------------------------[root@x88022 daq-2.0.6]# rpm -qa |grep libpcaplibpcap-devel-0.9.4-15.el5libpcap-0.9.4-15.el5We started requiring 1.0.0+ years ago. On those 64-bit hosts, whatdoes ldd snort show? Is that where rpm installed those? You can alsocheck snort -V to see the version.FROM: Al Lewis (allewi) [mailto:allewi () cisco com]SENT: Tuesday, September 15, 2015 12:05 PMTO: Lamont, Brian A.; Michael Steele;snort-users () lists sourceforge netSUBJECT: RE: [Snort-users] 32bit snort rpmYou should be able to build from source but you need the daq installedfirst.Albert LewisQA Software EngineerSOURCEFIRE, Inc. now part of CISCO9780 Patuxent Woods DriveColumbia, MD 21046Phone: (office) 443.430.7112Email: allewi () cisco comFROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]SENT: Tuesday, September 15, 2015 10:39 AMTO: Al Lewis (allewi); Michael Steele;snort-users () lists sourceforge netSUBJECT: RE: [Snort-users] 32bit snort rpmI am needing to install snort on approx.. 25 32bit RHEL (REDHAT LINUX)5 serversFROM: Al Lewis (allewi) [mailto:allewi () cisco com]SENT: Monday, September 14, 2015 7:10 PMTO: Lamont, Brian A.; Michael Steele;snort-users () lists sourceforge netSUBJECT: RE: [Snort-users] 32bit snort rpmAre you trying to install on windows or *nix?Albert LewisQA Software EngineerSOURCEFIRE, Inc. now part of CISCO9780 Patuxent Woods DriveColumbia, MD 21046Phone: (office) 443.430.7112Email: allewi () cisco comFROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]SENT: Monday, September 14, 2015 7:00 PMTO: Michael Steele; snort-users () lists sourceforge netSUBJECT: Re: [Snort-users] 32bit snort rpmBut I should be able to build from source, at least according to oneof the README files, correct? I have started one build afterinstalling the libpcap and other prereqs, and it started to take offand look like a build, then failed for the error below. Where can Ifind the sfbpf library?[root@x88022 snort]# rpmbuild -ta snort-2.9.7.5.tar.gzExecuting(%prep): /bin/sh -e /var/tmp/rpm-tmp.9801+ umask 022+ cd /usr/src/redhat/BUILD+ LANG=C+ export LANG+ unset DISPLAY+ cd /usr/src/redhat/BUILD+ rm -rf snort-2.9.7.5+ /usr/bin/gzip -dc /var/tmp/snort/snort-2.9.7.5.tar.gz...checking for INADDR_NONE... yeschecking for __FUNCTION__... yeschecking for sfbpf_compile in -lsfbpf... noERROR! sfbpf library not found, go get it fromhttp://www.snort.org/ [5] [7].error: Bad exit status from /var/tmp/rpm-tmp.9801 (%build)RPM build errors:Bad exit status from /var/tmp/rpm-tmp.9801 (%build)FROM: Michael Steele [mailto:michaels () winsnort com]SENT: Monday, September 14, 2015 3:37 PMTO: Lamont, Brian A.SUBJECT: RE: [Snort-users] 32bit snort rpmSnort is 32bit for Window, but the remainder of the support programsare 64bit. There are 32bit and 64bit installation tutorials forWindows.Kindest regards,Michael...WINSNORT.com [6] Management Team Member--****************** Established ~ 2001 ******************** Visit Us @ http://www.winsnort.com [7] [8] ** ~~ FREE WinIDS Snort installation guides ~~ ** ~~ FREE support forums ~~ ** Snort: Open Source Network IDS - http://www.snort.org [8] [9] **********************************************************FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]SENT: Monday, September 14, 2015 6:22 PMTO: snort-users () lists sourceforge netSUBJECT: [Snort-users] 32bit snort rpmI am needing to install snort on approx.. 25 32bit Rhel 5 servers. Isee there is a 64bit rpm on the website. Is there a 32bit packageavailable?_BRIAN LAMONT_UNIX SYSTEMS ADMINDESK: 480 586-9986CELL: 480 209-8751brian.lamont () gd-ms comIf this was me, at this point, I would just create snort and it's dependencies in their own environment(with a little fudging) like so: libpcap: snag latest at http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz [9] ./configure --prefix=/opt/snortbuild sudo ln -s /opt/snortbuild/bin/pcap-config /usr/sbin/ For some reason daq has issues with finding libpcap.so.1 so: (as root) echo "/opt/snortbuild/lib" > /etc/ld.so.conf.d/snort.conf (or symlink it to your lib path) libdnet: snag latest at http://pkgs.fedoraproject.org/repo/pkgs/libdnet/libdnet-1.12.tgz/9253e f6de1b5e28e9c9a62b882e44cc9/libdnet-1.12.tgz [10] and ./configure --prefix=/opt/snortbuild sudo ln -s /opt/snortbuild/bin/dnet-config /usr/bin/ daq: snag latest at https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz [11] ./configure --prefix=/opt/snort --with-libpcap-includes=/opt/snortbuild/include --with-libpcap-libraries=/opt/snortbuild/lib --with-dnet-includes=/opt/snortbuild/include --with-dnet-libraries=/opt/snortbuild/lib sudo ln -s /opt/snortbuild/bin/daq-modules-config /usr/bin/ snort: snag at https://www.snort.org/downloads/snort/snort-2.9.7.5.tar.gz [12] and configure with ./configure --prefix=/opt/snort --enable-sourcefire --with-daq-includes=/opt/snortbuild/include --with-daq-libraries=/opt/snortbuild/lib --with-dnet-includes=/opt/snortbuild/include --with-dnet-libraries=/opt/snortbuild/lib --with-libpcap-includes=/opt/snortbuild/include --with-libpcap-libraries=/opt/snortbuild/lib snort refuses to find libdnet.1 so you'll need to make a symlink to your lib path such as: sudo ln -s /opt/snortbuild/lib/libdnet.1.0.1 /lib/i386-linux-gnu/libdnet.1 vbox:/opt/snort/bin$ ldd snort linux-gate.so.1 => (0xb7759000) libdnet.1 => /lib/i386-linux-gnu/libdnet.1 (0xb772c000) libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb76ba000) libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb766c000) libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0 (0xb7498000) libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb7493000) libsfbpf.so.0 => /opt/snortbuild/lib/libsfbpf.so.0 (0xb746b000) libpcap.so.1 => /opt/snortbuild/lib/libpcap.so.1 (0xb7425000) libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb7409000) libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb73ec000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7231000) /lib/ld-linux.so.2 (0xb775a000) vbox:/opt/snort/bin$ ./snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.7.5 GRE (Build 262) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team [4] Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.7.4 Using PCRE version: 8.35 2014-04-04 Using ZLIB version: 1.2.8 At this point if you want to push this out as a package you can tar.bz2 /opt/snortbuild and /opt/snort as well as the lib symlinks and away you go. Hope that helps. James------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: 32bit snort rpm, (continued)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 01)
- Re: 32bit snort rpm Al Lewis (allewi) (Oct 01)
- Re: 32bit snort rpm Stephen Gantz (Oct 01)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 01)
- Re: 32bit snort rpm Al Lewis (allewi) (Oct 01)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 01)
- Re: 32bit snort rpm Al Lewis (allewi) (Oct 01)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
- Re: 32bit snort rpm James Lay (Oct 02)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
- Re: 32bit snort rpm James Lay (Oct 02)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
- Re: 32bit snort rpm James Lay (Oct 02)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
- Re: 32bit snort rpm James Lay (Oct 02)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
- Re: 32bit snort rpm James Lay (Oct 02)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
- Re: 32bit snort rpm James Lay (Oct 02)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
- Re: 32bit snort rpm James Lay (Oct 02)
- Re: 32bit snort rpm Lamont, Brian A. (Oct 01)