Snort mailing list archives

Re: 32bit snort rpm

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 02 Oct 2015 16:36:11 -0600

Good call...I would highly recommend doing this in a VM so you can 
rapidly revert back...just in case :)

James

On 2015-10-02 04:25 PM, Lamont, Brian A. wrote:

I did a make uninstall , make distclean of one of them and it didn't
help.    We have another system we'll try this on next week.   I'll
give results at that time.

-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, October 02, 2015 2:51 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 32bit snort rpm

Ah....eek...you have libdaq installed twice...I would move the ones
you're not using...this might be part of the issue....use 
/usr/local/lib
OR your /opt/gdms/lib, but not both.

James

On 2015-10-02 03:39 PM, Lamont, Brian A. wrote:

Symlink to where, from /usr/local/lib ?

[root@x88022 lib]#  cd /usr/local/lib/
[root@x88022 lib]#  ln -s  /opt/gdms/lib/   libdaq_static.a

[root@x88022 lib]# cd /usr/local/lib/
[root@x88022 lib]# ls -al libdaq*
-rw-r--r-- 1 root root 50334 Sep 28 12:57 libdaq.a
-rwxr-xr-x 1 root root   931 Sep 28 12:57 libdaq.la
lrwxrwxrwx 1 root root    15 Sep 28 12:57 libdaq.so -> libdaq.so.2.0.4
lrwxrwxrwx 1 root root    15 Sep 28 12:57 libdaq.so.2 ->
libdaq.so.2.0.4
-rwxr-xr-x 1 root root 41254 Sep 28 12:57 libdaq.so.2.0.4
-rw-r--r-- 1 root root 51436 Sep 28 12:57 libdaq_static.a
-rwxr-xr-x 1 root root   899 Sep 28 12:57 libdaq_static.la
-rw-r--r-- 1 root root 48642 Sep 28 12:57 libdaq_static_modules.a
-rwxr-xr-x 1 root root   923 Sep 28 12:57 libdaq_static_modules.la


[root@x88022 lib]# ls -al /opt/gdms/lib/libdaq*
-rw-r--r-- 1 root root 50334 Oct  2 13:25 /opt/gdms/lib/libdaq.a
-rwxr-xr-x 1 root root   936 Oct  2 13:25 /opt/gdms/lib/libdaq.la
lrwxrwxrwx 1 root root    15 Oct  2 13:25 /opt/gdms/lib/libdaq.so ->
libdaq.so.2.0.4
lrwxrwxrwx 1 root root    15 Oct  2 13:25 /opt/gdms/lib/libdaq.so.2 ->
libdaq.so.2.0.4
-rwxr-xr-x 1 root root 41254 Oct  2 13:25 
/opt/gdms/lib/libdaq.so.2.0.4
-rw-r--r-- 1 root root 51436 Oct  2 13:25 
/opt/gdms/lib/libdaq_static.a
-rwxr-xr-x 1 root root   904 Oct  2 13:25
/opt/gdms/lib/libdaq_static.la
-rw-r--r-- 1 root root 74696 Oct  2 13:25
/opt/gdms/lib/libdaq_static_modules.a
-rwxr-xr-x 1 root root   928 Oct  2 13:25
/opt/gdms/lib/libdaq_static_modules.la


-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, October 02, 2015 2:31 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 32bit snort rpm

Yea I've been there....last ditch would be to symlink your static 
daqs.

James

On 2015-10-02 03:20 PM, Lamont, Brian A. wrote:

It was the same as yours and since we had ld.so.conf file originally
with two lines, we added the library spot for the new build area:
still no go.

include ld.so.conf.d/*.conf
include /usr/local/lib
/opt/snort-build/lib
/opt/gdms/lib   <- new build area


-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, October 02, 2015 1:56 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 32bit snort rpm

What's your lib dir show...the one where you installed daq to?  Mine
has:

ls -l libdaq*
-rw-r--r-- 1 root root  53514 Oct  2 11:50 libdaq.a
-rwxr-xr-x 1 root root    914 Oct  2 11:50 libdaq.la
lrwxrwxrwx 1 root root     15 Oct  2 11:50 libdaq.so ->
libdaq.so.2.0.4
lrwxrwxrwx 1 root root     15 Oct  2 11:50 libdaq.so.2 ->
libdaq.so.2.0.4
-rwxr-xr-x 1 root root  46304 Oct  2 11:50 libdaq.so.2.0.4
-rw-r--r-- 1 root root  54992 Oct  2 11:50 libdaq_static.a
-rwxr-xr-x 1 root root    882 Oct  2 11:50 libdaq_static.la
-rw-r--r-- 1 root root 154166 Oct  2 11:50 libdaq_static_modules.a
-rwxr-xr-x 1 root root    906 Oct  2 11:50 libdaq_static_modules.la

James

On 2015-10-02 02:51 PM, Lamont, Brian A. wrote:

ERROR!  daq_static library not found

Doing a build in a different spot sort redoing things.   Has anyone
seen this error before?



-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, October 02, 2015 10:12 AM
To: Lamont, Brian A.
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 32bit snort rpm

Yea there you go...odd that there's no AFPacket.  If you're running
as root, which I think from other emails I see you might be, I would
create a script log like so:

script snorttest.txt
strace snort <your options>
ctrl-D

Then let's see what that looks like.

James

On 2015-10-02 11:08 AM, Lamont, Brian A. wrote:

Run strace with no options or do you have a few flags that are
beneficial?


./configure --prefix=/opt/snort-build
--with-libpcap-includes=/opt/snort-build/include
--with-libpcap-libraries=/opt/snort-build/lib
--with-dnet-includes=/opt/snort-build/include
--with-dnet-libraries=/opt/snort-build/lib
.
.

Build AFPacket DAQ module.. : no
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
Build netmap DAQ module.... : no



-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, October 02, 2015 9:55 AM
To: Lamont, Brian A.
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 32bit snort rpm

Yea that's for config.log....I'm talking about the actual end of
running your ./configure in a terminal.  At this point...boy I 
don't
know...my next step would be do run snort with strace and see where
it's flaking out.

On 2015-10-02 10:50 AM, Lamont, Brian A. wrote:

Looks a little different than yours.

BUILD_AFPACKET_MODULE_FALSE=''
BUILD_AFPACKET_MODULE_TRUE='#'
BUILD_DUMP_MODULE_FALSE='#'
BUILD_DUMP_MODULE_TRUE=''
BUILD_IPFW_MODULE_FALSE='#'
BUILD_IPFW_MODULE_TRUE=''
BUILD_IPQ_MODULE_FALSE=''
BUILD_IPQ_MODULE_TRUE='#'
BUILD_MODULES_FALSE='#'
BUILD_MODULES_TRUE=''
BUILD_NETMAP_MODULE_FALSE=''
BUILD_NETMAP_MODULE_TRUE='#'
BUILD_NFQ_MODULE_FALSE=''
BUILD_NFQ_MODULE_TRUE='#'
BUILD_PCAP_MODULE_FALSE='#'
BUILD_PCAP_MODULE_TRUE=''
BUILD_SHARED_MODULES_FALSE='#'
BUILD_SHARED_MODULES_TRUE=''


-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, October 02, 2015 9:10 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 32bit snort rpm

What's the end of your DAQ ./configure look like?  I.E.:

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes
Build netmap DAQ module.... : no

James

On 2015-10-02 09:56 AM, Lamont, Brian A. wrote:

-T without --daq pcap showed no errors.  Changing to -D still
complained about missing --daq pcap


-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Friday, October 02, 2015 8:46 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 32bit snort rpm

Drop the --daq pcap as that's the default anyway.  In a console
try:

/usr/local/bin/snort -T -u snort -g snort -c 
/etc/snort/snort.conf

Should run a test and give you any errors, if none then change
your -T to -D.

James

On 2015-10-02 09:28 AM, Lamont, Brian A. wrote:

I have. I export the library path first, then run the full snort
command below. You suppose there’s a flub with the library path,
something not listed?

/usr/local/bin/snort -D -u snort -g snort -c
/etc/snort/snort.conf --daq pcap;

FROM: Al Lewis (allewi) [mailto:allewi () cisco com]
 SENT: Thursday, October 01, 2015 4:29 PM
 TO: Lamont, Brian A.
 CC: snort-users () lists sourceforge net
 SUBJECT: RE: [Snort-users] 32bit snort rpm

I would test that you can run it manually first. Then create a
script.


Albert Lewis

QA Software Engineer

SOURCEFIRE, Inc. now part of CISCO

9780 Patuxent Woods Drive
 Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com

FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]
 SENT: Thursday, October 01, 2015 6:49 PM
 TO: Al Lewis (allewi)
 CC: snort-users () lists sourceforge net
 SUBJECT: RE: [Snort-users] 32bit snort rpm

We have a startup script.

-------------------------------

#!/bin/sh

case $1 in

'start')


LD_LIBRARY_PATH=/opt/snort-build/lib:/usr/local/lib:/usr/local/li
b
/
s
n
o
rt_dynamicpreprocessor:/usr/local/lib/snort_dynamicengine:/usr/lo
c
a
l
/
l
ib;


 export LD_LIBRARY_PATH;

 /usr/local/bin/snort -D -u snort -g snort -c
/etc/snort/snort.conf --daq pcap;

;;

'stop')

 kill -1 `ps -ef | grep snort | grep -v grep | awk '{print $2}'`

;;

*)

 echo "Usage: $0 start|stop" >&2

exit 1

;;

esac

exit 0

FROM: Al Lewis (allewi) [mailto:allewi () cisco com]
 SENT: Thursday, October 01, 2015 3:44 PM
 TO: Lamont, Brian A.
 CC: snort-users () lists sourceforge net
 SUBJECT: RE: [Snort-users] 32bit snort rpm

How are you starting snort to get that error?

Albert Lewis

QA Software Engineer

SOURCEFIRE, Inc. now part of CISCO

9780 Patuxent Woods Drive
 Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com

FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]
 SENT: Thursday, October 01, 2015 6:14 PM
 TO: Stephen Gantz
 CC: Al Lewis (allewi); snort-users () lists sourceforge net
 SUBJECT: RE: [Snort-users] 32bit snort rpm

Ok I cleared up the RULE_PATH variable since it had not
referenced the correct directory. Now I can’t find daq or pcap 
at
snort startup.

15 x88022 snort[16459]:
+----------------------------------------------------------------

Oct 1 14:48:15 x88022 snort[16459]: [ Number of patterns
truncated to
20 bytes: 24 ]

Oct 1 14:48:15 x88022 snort[16459]: FATAL ERROR: Can't find pcap
DAQ!

IN /USR/BIN I HAVE:

daq-modules-config -> /opt/snort-build/bin/daq-modules-config

IN /USR/SBIN:

pcap-config -> /opt/snort-build/bin/pcap-config

FOR LIBDNET:

[root@x88022 sbin]# ls -al /usr/local/lib/libdnet.1

lrwxrwxrwx 1 root root 13 Sep 14 13:58 /usr/local/lib/libdnet.1
->
libdnet.1.0.1

[root@x88022 sbin]# ls -al /opt/snort-build/lib/libdnet*

lrwxrwxrwx 1 root root 24 Oct 1 15:01 libdnet.1 ->
/usr/local/lib/libdnet.1

[ROOT@X88022 LIB]# LDD /USR/LOCAL/BIN/SNORT

 linux-gate.so.1 => (0x00655000)

 libdnet.1 => /usr/local/lib/libdnet.1 (0x00e79000)

 libpcre.so.0 => /lib/libpcre.so.0 (0x0066e000)

 libnsl.so.1 => /lib/libnsl.so.1 (0x00c2a000)

 libuuid.so.1 => /lib/libuuid.so.1 (0x004e3000)

 libm.so.6 => /lib/libm.so.6 (0x00159000)

 libcrypto.so.6 => /lib/libcrypto.so.6 (0x078b5000)

 libdl.so.2 => /lib/libdl.so.2 (0x00699000)

 libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x007a4000)

 libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00a93000)

 libz.so.1 => /lib/libz.so.1 (0x006a0000)

 libpthread.so.0 => /lib/libpthread.so.0 (0x006b5000)

 libc.so.6 => /lib/libc.so.6 (0x00182000)

 /lib/ld-linux.so.2 (0x004f1000)

[root@x88022 lib]# snort -V

 ,,_ -*> Snort! <*-

 o" )~ Version 2.9.7.5 GRE (Build 262)

 '''' By Martin Roesch & The Snort Team:
http://www.snort.org/contact#team [4]

 Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights
reserved.

 Copyright (C) 1998-2013 Sourcefire, Inc., et al.

 Using libpcap version 1.7.4

 Using PCRE version: 6.6 06-Feb-2006

 Using ZLIB version: 1.2.3

FROM: Stephen Gantz [mailto:stephen.gantz () faculty umuc edu]
 SENT: Thursday, October 01, 2015 12:16 PM
 TO: Lamont, Brian A.
 CC: Al Lewis (allewi); snort-users () lists sourceforge net
 SUBJECT: Re: [Snort-users] 32bit snort rpm

Try setting RULE_PATH to an absolute path instead of the 
relative
one in snort.conf by default.

 Dr. Stephen D. Gantz

CISSP-ISSAP, CEH, CGEIT, CRISC, CIPP/G, C|CISO

Professor of Information Assurance

The Graduate School

University of Maryland University College

stephen.gantz () faculty umuc edu

 On Oct 1, 2015, at 2:55 PM, Lamont, Brian A.
<Brian.Lamont () gd-ms com>
wrote:

This path exists on my 64 bit systems,
/etc/snort/rules/local.rules but the one in the error below 
does
not . And the rules directory on the 64 bit systems is full of
rules, but I'm unable to find the default set in the build 
area,
and community rules file is all find on the website.

Oct 1 11:29:54 x88022 snort[10659]: FATAL ERROR:
/etc/snort/../rules/local.rules(0) Unable to open rules file
"/etc/snort/../rules/local.rules": No such file or directory.

-----Original Message-----
From: Al Lewis (allewi) [mailto:allewi () cisco com]
Sent: Wednesday, September 30, 2015 4:43 PM
To: Lamont, Brian A.
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 32bit snort rpm

Is this a copy paste error?

"/usr/local/lib/libpcap.so.1 -> /opt/snort-build/lib"

If not... I think your link is wrong.

This---> /usr/local/lib/libpcap.so.1

Should link to your libpcap file and not the directory.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

-----Original Message-----
From: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]
Sent: Wednesday, September 30, 2015 7:29 PM
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 32bit snort rpm

Appears to be a library linkage that’s not right, and maybe 
it's
obvious but I don't chase these issues much. So while I 
continue
to look I'll send you what I have.

Since we installed libpcap.so.1.7.4, I'm guessing we need to
make sure libpcap.so.1 can find it. In the startup script I 
have
LD_LIBRARY_PATH exported as follows:

LD_LIBRARY_PATH=/opt/snort-build/lib:/usr/local/lib; export
LD_LIBRARY_PATH;

The error
---
[root@x88022 rc3.d]# ./S99snortd start
/usr/local/bin/snort: error while loading shared libraries:
/usr/local/lib/libpcap.so.1: cannot read file data: Error 21

Links to libpcap.so.1
---
[root@x88022 ~]# ls -al /usr/local/lib/libpcap* lrwxrwxrwx 1
root root 20 Sep 29 14:42 /usr/local/lib/libpcap.so.1 ->
/opt/snort-build/lib

/opt/snort-build is where is built snort and all packages.
---
[root@x88022 ~]# ls -al /opt/snort-build/lib/libpcap*
-rw-r--r-- 1 root root 695832 Sep 29 14:06
/opt/snort-build/lib/libpcap.a lrwxrwxrwx 1 root root 12 Sep 29
14:06 /opt/snort-build/lib/libpcap.so -> libpcap.so.1 
lrwxrwxrwx
1 root root 16 Sep 29 14:06
/opt/snort-build/lib/libpcap.so.1 -> libpcap.so.1.7.4 
-rwxr-xr-x
1 root root 520356 Sep 29 14:06
/opt/snort-build/lib/libpcap.so.1.7.4
[root@x88022 ~]#

-----Original Message-----
From: Al Lewis (allewi) [mailto:allewi () cisco com]
Sent: Tuesday, September 29, 2015 3:05 PM
To: Lamont, Brian A.
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 32bit snort rpm

Try running ldconfig or exporting the library path "export
LD_LIBRARY_PATH=/usr/local/lib" before running snort

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

-----Original Message-----
From: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]
Sent: Tuesday, September 29, 2015 6:02 PM
To: Al Lewis (allewi)
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 32bit snort rpm

Got libpcap, daq and snort installed. Will see if it works
tomorrow.
I had built a snort rpm but after successful daq and libpcap
install, it complained about unable to find libpcap and one
other.

[root@x88022 i386]# rpm -i snort-2.9.7.5-1.i386.rpm
error: Failed dependencies:
libpcap.so.1 is needed by snort-2.9.7.5-1.i386
libsfbpf.so.0 is needed by snort-2.9.7.5-1.i386

-----Original Message-----
From: Al Lewis (allewi) [mailto:allewi () cisco com]
Sent: Monday, September 28, 2015 5:22 PM
To: Lamont, Brian A.
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 32bit snort rpm

I have it installed on RHEL 5.11.

See below:

[root@localhost snort-2.9.7.6]# /var/tmp/snort-2.9.6/bin/snort
-V

,,_ -*> Snort! <*-
o" )~ Version 2.9.7.6 GRE (Build 285) '''' By Martin Roesch &
The Snort Team:
http://www.snort.org/contact#team [4] Copyright (C) 2014-2015
Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.7.4
Using PCRE version: 8.37 2015-04-28 Using ZLIB version: 1.2.3

[root@localhost snort-2.9.7.6]# uname -a Linux
localhost.localdomain
2.6.18-398.el5 #1 SMP Tue Aug 12 06:26:57 EDT
2014 i686 i686 i386 GNU/Linux

[root@localhost snort-2.9.7.6]# cat /etc/redhat-release Red Hat
Enterprise Linux Server release 5.11 (Tikanga)

Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

-----Original Message-----
From: Al Lewis (allewi)
Sent: Monday, September 28, 2015 7:34 PM
To: Lamont, Brian A.
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 32bit snort rpm

Add "inlcude /usr/local/lib" to /etc/ld.so.conf.

[root@localhost alewis]# ls -al /usr/local/lib/libpcap.so.1
lrwxrwxrwx 1 root root 16 Sep 28 18:49
/usr/local/lib/libpcap.so.1
-> libpcap.so.1.7.4

[root@localhost alewis]# ldconfig -v /usr/local/lib | grep pcap
ldconfig: Can't stat inlcude /usr/local/lib: No such file or
directory
libpcap.so.1 -> libpcap.so.1.7.4
libpcap.so.0.9.4 -> libpcap.so.0.9.4 [root@localhost alewis]#

You should be able to continue after that.

I just did it with daq-2.0.5

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

-----Original Message-----
From: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]
Sent: Monday, September 28, 2015 6:57 PM
To: jlay () slave-tothe-box net; snort-users () lists sourceforge net
Subject: Re: [Snort-users] 32bit snort rpm

Building in its own area sounds great, but I'm still not 
getting
passed the make.
.
.
config.status: creating pcap_set_tstamp_precision.3pcap
config.status: creating pcap_set_tstamp_type.3pcap
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing default-1 commands

[root@x88022 libpcap-1.7.4]# make gcc -fpic -I.
-I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include
-DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -g -O2 -c
./pcap-dbus.c
./pcap-dbus.c: In function ‘dbus_write’:
./pcap-dbus.c:111: error: ‘DBUS_ERROR_INIT’ undeclared (first
use in this function)
./pcap-dbus.c:111: error: (Each undeclared identifier is
reported only once
./pcap-dbus.c:111: error: for each function it appears in.)
./pcap-dbus.c: In function ‘dbus_activate’:
./pcap-dbus.c:165: error: ‘DBUS_ERROR_INIT’ undeclared (first
use in this function)
make: *** [pcap-dbus.o] Error 1

-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: Monday, September 28, 2015 2:24 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] 32bit snort rpm

On 2015-09-28 02:12 PM, Lamont, Brian A. wrote:

daq is still needing 1.0.0 back to the beginning it looks like.

------

checking for libpcap version >= "1.0.0"... no

ERROR! Libpcap library version >= 1.0.0 not found.

Get it from http://www.tcpdump.org [1] [1]

-----------

So I found these options and ran it. But I'm not sure if it 
daq
built

"without" libpcap-1.0.0, and instead, or WITH the 1.7.4 
library
in

/usr/local/lib, which seemed like a default but specified it
anyway.

Libpcap install config.log completed without errors. Do any of
you see

an issue with the way this built?

./configure --disable-pcap-module

--with-libpcap-libraries=/usr/local/lib

FROM: Lamont, Brian A.

SENT: Monday, September 28, 2015 12:50 PM

TO: Lamont, Brian A.; Al Lewis (allewi); Russ Combs (rucombs);

Michael Steele

CC: snort-users () lists sourceforge net

SUBJECT: RE: [Snort-users] 32bit snort rpm

Got it to go with -enable-dbus=no.

FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]

SENT: Monday, September 28, 2015 12:39 PM

TO: Al Lewis (allewi); Russ Combs (rucombs); Michael Steele

CC: snort-users () lists sourceforge net

SUBJECT: Re: [Snort-users] 32bit snort rpm

I uninstalled libpcap 1.0.0 using make uninstall. Please let 
me
know

if this is complete clean removal. But during make install of
version

1.7 it errored below. Anyone seen this before?

./pcap-dbus.c: In function 'dbus_write':

./pcap-dbus.c:111: error: 'DBUS_ERROR_INIT' undeclared (first
use in

this function)

./pcap-dbus.c:111: error: (Each undeclared identifier is
reported only

once

./pcap-dbus.c:111: error: for each function it appears in.)

./pcap-dbus.c: In function 'dbus_activate':

./pcap-dbus.c:165: error: 'DBUS_ERROR_INIT' undeclared (first
use in

this function)

make: *** [pcap-dbus.o] Error 1

FROM: Al Lewis (allewi) [mailto:allewi () cisco com]

SENT: Monday, September 28, 2015 9:46 AM

TO: Lamont, Brian A.; Russ Combs (rucombs); Michael Steele

CC: snort-users () lists sourceforge net

SUBJECT: RE: [Snort-users] 32bit snort rpm

Try this..

Unistall libpcap.

Then get it from tcpdump.org [2]

http://www.tcpdump.org/#latest-release [3] [5]

Libpcap version 1.7 is available.

Albert Lewis

QA Software Engineer

SOURCEFIRE, Inc. now part of CISCO

9780 Patuxent Woods Drive

Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com

FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]

SENT: Monday, September 28, 2015 12:21 PM

TO: Al Lewis (allewi); Russ Combs (rucombs); Michael Steele

CC: snort-users () lists sourceforge net

SUBJECT: RE: [Snort-users] 32bit snort rpm

Tried that. And Redhat apparently does not have the 1.0.0
available,

which is odd given the "…years ago…" reference below. It may 
be
part

of another channel we are not subscribed to so I will open a
case with

them for that.

This system is receiving updates from RHN Classic or RHN
Satellite.

Setting up Install Process

Package 14:libpcap-devel-0.9.4-15.el5.i386 already installed
and

latest version

Nothing to do

FROM: Al Lewis (allewi) [mailto:allewi () cisco com]

SENT: Monday, September 28, 2015 9:17 AM

TO: Lamont, Brian A.; Russ Combs (rucombs); Michael Steele

CC: snort-users () lists sourceforge net

SUBJECT: RE: [Snort-users] 32bit snort rpm

For redhat libpcap devel is:

"yum install libpcap-devel"

Albert Lewis

QA Software Engineer

SOURCEFIRE, Inc. now part of CISCO

9780 Patuxent Woods Drive

Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com

FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]

SENT: Monday, September 28, 2015 12:00 PM

TO: Russ Combs (rucombs); Al Lewis (allewi); Michael Steele;

snort-users () lists sourceforge net

SUBJECT: RE: [Snort-users] 32bit snort rpm

Ok I'm back at this again. To recap, I'm trying to build snort
32bit

on rhel 5.11, but running in to dependency problems. While
starting a

rpmbuild of daq, I started seeing errors. Below is what ldd
snort

shows on 64 linux. I found another site that suggested
installing

libpcap-devel so that libpcap would build, then install daq,
and then

snort. But I have not been able to find libpcap-devel source
pkg to

download for Rhel 5 32bit.

Here is how my install of libpcap-1.0.0 finishes and appears

----------------------------------------------------------

/usr/bin/install -c -m 644 ./$i \

/usr/local/share/man/man3/$i; done

ln /usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap \

/usr/local/share/man/man3/pcap_datalink_val_to_description.3pca
p

ln: creating hard link

`/usr/local/share/man/man3/pcap_datalink_val_to_description.3pcap'
to

`/usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap':
File

exists

make: *** [install] Error 1

But my daq install errors unable to find libpcap

---------------------------------------------------------

checking for libpcap version >= "1.0.0"... no

ERROR! Libpcap library version >= 1.0.0 not found.

Get it from http://www.tcpdump.org [1] [1]

[root@linux1 ~]# ldd /usr/local/bin/snort

linux-vdso.so.1 => (0x00007fffb7ffd000)

libdnet.1 => /usr/lib64/libdnet.1 (0x00002ba25825d000)

libpcre.so.0 => /lib64/libpcre.so.0 (0x00002ba25846d000)

libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ba25868c000)

libuuid.so.1 => /lib64/libuuid.so.1 (0x00002ba2588a5000)

libm.so.6 => /lib64/libm.so.6 (0x00002ba258aa9000)

libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002ba258d2c000)

libdl.so.2 => /lib64/libdl.so.2 (0x00002ba25907f000)

libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0
(0x00002ba259283000)

libpcap.so.1 => /usr/local/lib/libpcap.so.1
(0x00002ba2594a6000)

libz.so.1 => /lib64/libz.so.1 (0x00002ba2596e1000)

libpthread.so.0 => /lib64/libpthread.so.0 (0x00002ba2598f5000)

libc.so.6 => /lib64/libc.so.6 (0x00002ba259b11000)

/lib64/ld-linux-x86-64.so.2 (0x00002ba25803f000)

[root@linux1 ~]# snort -V

,,_ -*> Snort! <*-

o" )~ Version 2.9.7.0 GRE (Build 149)

'''' By Martin Roesch & The Snort Team:

http://www.snort.org/contact#team [4] [6]

Copyright (C) 2014 Cisco and/or its affiliates. All rights
reserved.

Copyright (C) 1998-2013 Sourcefire, Inc., et al.

USING LIBPCAP VERSION 1.6.2

Using PCRE version: 6.6 06-Feb-2006

Using ZLIB version: 1.2.3

FROM: Russ [mailto:rucombs () cisco com]

SENT: Tuesday, September 15, 2015 3:18 PM

TO: Lamont, Brian A.; Al Lewis (allewi); Michael Steele;

snort-users () lists sourceforge net

SUBJECT: Re: [Snort-users] 32bit snort rpm

On 9/15/15 5:43 PM, Lamont, Brian A. wrote:


So I'm a failure at building from the source rpm of daq, and
pretty

darn new to building rpms, so my next attempt below is to 
build
from

source, and that didn't go well.

[root@x88022 snort]# rpmbuild --rebuild daq-2.0.6-1.src.rpm

Installing daq-2.0.6-1.src.rpm

error: unpacking of archive failed on file

/usr/src/redhat/SOURCES/daq-2.0.6.tar.gz;55f88cd3: cpio: MD5
sum

mismatch

error: daq-2.0.6-1.src.rpm cannot be installed

From source:

----------------

[root@x88022 snort]# cd daq-2.0.6

[root@x88022 daq-2.0.6]# vi README

[root@x88022 daq-2.0.6]# ./configure

checking for a BSD-compatible install... /usr/bin/install -c

checking whether build environment is sane... yes

checking for a thread-safe mkdir -p... /bin/mkdir -p

checking for gawk... gawk

. …omitted..

..

checking libnetfilter_queue/libnetfilter_queue.h presence... 
no

checking for libnetfilter_queue/libnetfilter_queue.h... no

checking for linux/netfilter.h... (cached) yes

checking for pcap.h... (cached) yes

checking for pcap_lib_version... checking for pcap_lib_version
in

-lpcap... (cached) yes

checking for libpcap version >= "1.0.0"... no

ERROR! Libpcap library version >= 1.0.0 not found.

Get it from http://www.tcpdump.org [1] [1]

Current version of libpcap - same version on 64bit hosts and
they

work fine.

---------------------------------

[root@x88022 daq-2.0.6]# rpm -qa |grep libpcap

libpcap-devel-0.9.4-15.el5

libpcap-0.9.4-15.el5

We started requiring 1.0.0+ years ago. On those 64-bit hosts,
what

does ldd snort show? Is that where rpm installed those? You can
also

check snort -V to see the version.

FROM: Al Lewis (allewi) [mailto:allewi () cisco com]

SENT: Tuesday, September 15, 2015 12:05 PM

TO: Lamont, Brian A.; Michael Steele;

snort-users () lists sourceforge net

SUBJECT: RE: [Snort-users] 32bit snort rpm

You should be able to build from source but you need the daq
installed

first.

Albert Lewis

QA Software Engineer

SOURCEFIRE, Inc. now part of CISCO

9780 Patuxent Woods Drive

Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com

FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]

SENT: Tuesday, September 15, 2015 10:39 AM

TO: Al Lewis (allewi); Michael Steele;

snort-users () lists sourceforge net

SUBJECT: RE: [Snort-users] 32bit snort rpm

I am needing to install snort on approx.. 25 32bit RHEL (REDHAT
LINUX)

5 servers

FROM: Al Lewis (allewi) [mailto:allewi () cisco com]

SENT: Monday, September 14, 2015 7:10 PM

TO: Lamont, Brian A.; Michael Steele;

snort-users () lists sourceforge net

SUBJECT: RE: [Snort-users] 32bit snort rpm

Are you trying to install on windows or *nix?

Albert Lewis

QA Software Engineer

SOURCEFIRE, Inc. now part of CISCO

9780 Patuxent Woods Drive

Columbia, MD 21046

Phone: (office) 443.430.7112

Email: allewi () cisco com

FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]

SENT: Monday, September 14, 2015 7:00 PM

TO: Michael Steele; snort-users () lists sourceforge net

SUBJECT: Re: [Snort-users] 32bit snort rpm

But I should be able to build from source, at least according 
to
one

of the README files, correct? I have started one build after

installing the libpcap and other prereqs, and it started to 
take
off

and look like a build, then failed for the error below. Where
can I

find the sfbpf library?

[root@x88022 snort]# rpmbuild -ta snort-2.9.7.5.tar.gz

Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.9801

+ umask 022

+ cd /usr/src/redhat/BUILD

+ LANG=C

+ export LANG

+ unset DISPLAY

+ cd /usr/src/redhat/BUILD

+ rm -rf snort-2.9.7.5

+ /usr/bin/gzip -dc /var/tmp/snort/snort-2.9.7.5.tar.gz

..

checking for INADDR_NONE... yes

checking for __FUNCTION__... yes

checking for sfbpf_compile in -lsfbpf... no

ERROR! sfbpf library not found, go get it from

http://www.snort.org/ [5] [7].

error: Bad exit status from /var/tmp/rpm-tmp.9801 (%build)

RPM build errors:

Bad exit status from /var/tmp/rpm-tmp.9801 (%build)

FROM: Michael Steele [mailto:michaels () winsnort com]

SENT: Monday, September 14, 2015 3:37 PM

TO: Lamont, Brian A.

SUBJECT: RE: [Snort-users] 32bit snort rpm

Snort is 32bit for Window, but the remainder of the support
programs

are 64bit. There are 32bit and 64bit installation tutorials for

Windows.

Kindest regards,

Michael...

WINSNORT.com [6] Management Team Member

--

****************** Established ~ 2001 *******************

* Visit Us @ http://www.winsnort.com [7] [8] *

* ~~ FREE WinIDS Snort installation guides ~~ *

* ~~ FREE support forums ~~ *

* Snort: Open Source Network IDS - http://www.snort.org [8] [9]
*

*********************************************************

FROM: Lamont, Brian A. [mailto:Brian.Lamont () gd-ms com]

SENT: Monday, September 14, 2015 6:22 PM

TO: snort-users () lists sourceforge net

SUBJECT: [Snort-users] 32bit snort rpm

I am needing to install snort on approx.. 25 32bit Rhel 5
servers.
I

see there is a 64bit rpm on the website. Is there a 32bit
package

available?

_BRIAN LAMONT_

UNIX SYSTEMS ADMIN

DESK: 480 586-9986

CELL: 480 209-8751

brian.lamont () gd-ms com


 If this was me, at this point, I would just create snort and
it's dependencies in their own environment(with a little 
fudging)
like
so:

 libpcap:
 snag latest at
http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz
[9]
 ./configure --prefix=/opt/snortbuild

 sudo ln -s /opt/snortbuild/bin/pcap-config /usr/sbin/

 For some reason daq has issues with finding libpcap.so.1 so:
 (as root) echo "/opt/snortbuild/lib" >
/etc/ld.so.conf.d/snort.conf (or symlink it to your lib path)

 libdnet:
 snag latest at

http://pkgs.fedoraproject.org/repo/pkgs/libdnet/libdnet-1.12.tgz/
9
2
5
3 e f6de1b5e28e9c9a62b882e44cc9/libdnet-1.12.tgz
[10]
 and ./configure --prefix=/opt/snortbuild

 sudo ln -s /opt/snortbuild/bin/dnet-config /usr/bin/

 daq:
 snag latest at
https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
[11]
 ./configure --prefix=/opt/snort
 --with-libpcap-includes=/opt/snortbuild/include
 --with-libpcap-libraries=/opt/snortbuild/lib
 --with-dnet-includes=/opt/snortbuild/include
 --with-dnet-libraries=/opt/snortbuild/lib

 sudo ln -s /opt/snortbuild/bin/daq-modules-config /usr/bin/

 snort:
 snag at
https://www.snort.org/downloads/snort/snort-2.9.7.5.tar.gz
[12] and configure with ./configure --prefix=/opt/snort
--enable-sourcefire --with-daq-includes=/opt/snortbuild/include
 --with-daq-libraries=/opt/snortbuild/lib
 --with-dnet-includes=/opt/snortbuild/include
 --with-dnet-libraries=/opt/snortbuild/lib
 --with-libpcap-includes=/opt/snortbuild/include
 --with-libpcap-libraries=/opt/snortbuild/lib

 snort refuses to find libdnet.1 so you'll need to make a 
symlink
to your lib path such as: sudo ln -s
/opt/snortbuild/lib/libdnet.1.0.1
 /lib/i386-linux-gnu/libdnet.1

 vbox:/opt/snort/bin$ ldd snort
 linux-gate.so.1 => (0xb7759000)
 libdnet.1 => /lib/i386-linux-gnu/libdnet.1 (0xb772c000)
 libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb76ba000)
 libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb766c000)
 libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0
 (0xb7498000)
 libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb7493000)
 libsfbpf.so.0 => /opt/snortbuild/lib/libsfbpf.so.0 (0xb746b000)
 libpcap.so.1 => /opt/snortbuild/lib/libpcap.so.1 (0xb7425000)
 libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb7409000)
 libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0
(0xb73ec000)
 libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7231000)
 /lib/ld-linux.so.2 (0xb775a000)

 vbox:/opt/snort/bin$ ./snort --version

 ,,_ -*> Snort! <*-
 o" )~ Version 2.9.7.5 GRE (Build 262)  '''' By Martin Roesch &
The Snort Team:
 http://www.snort.org/contact#team [4]  Copyright (C) 2014-2015
Cisco and/or its affiliates. All rights reserved.
 Copyright (C) 1998-2013 Sourcefire, Inc., et al.
 Using libpcap version 1.7.4
 Using PCRE version: 8.35 2014-04-04  Using ZLIB version: 1.2.8

 At this point if you want to push this out as a package you can
tar.bz2 /opt/snortbuild and /opt/snort as well as the lib
symlinks and away you go. Hope that helps.

 James




------------------------------------------------------------------
-
-
-
-
-------- _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-user
s

Please visit http://blog.snort.org to stay current on all the
latest Snort news!
------------------------------------------------------------------
-
-
-
-
-------- _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-user
s

Please visit http://blog.snort.org to stay current on all the
latest Snort news!



-------------------------------------------------------------------
-
-
-
-------- _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the
latest Snort news!



----------------------------------------------------------------------
-------- _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!
----------------------------------------------------------------------
-------- _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: 32bit snort rpm, (continued)
- - - Re: 32bit snort rpm James Lay (Oct 02)
    - Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
    - Re: 32bit snort rpm James Lay (Oct 02)
    - Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
    - Re: 32bit snort rpm James Lay (Oct 02)
    - Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
    - Re: 32bit snort rpm James Lay (Oct 02)
    - Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
    - Re: 32bit snort rpm James Lay (Oct 02)
    - Re: 32bit snort rpm Lamont, Brian A. (Oct 02)
    - Re: 32bit snort rpm James Lay (Oct 02)
    - Re: 32bit snort rpm Lamont, Brian A. (Oct 07)
    - Re: 32bit snort rpm James Lay (Oct 02)