Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Conflict with pfring

From: Y M <snort () outlook com>
Date: Wed, 27 Jan 2016 10:02:01 +0000
From: Robert Lasota <wrkilu () wp pl>
Sent: Wednesday, January 27, 2016 9:26 AM




Hi,



On router with Centos7 we have among others Snort and Nprobe (from Ntop). Snort is compiled from source and I try to 
run as following:



/opt/usr/bin/snort --daq nfq --daq-var queue=1 -D -Q -c /opt/etc/snort/snort.conf --no-interface-pidfile
version 2.9.62.



The first comment you will get is that version 2.9.6.2 is becoming EOL by February 2016 [&#X1f60a] . Go with 2.9.8.0 as 
it is the latest available.



compiled with options:



./configure --prefix=/opt/usr --enable-sourcefire --with-daq-libraries=/opt/usr/lib/daq/ \
--with-daq-includes=/opt/usr/include/ --disable-gre --disable-mpls --disable-corefiles --disable-dlclose
Nprobe I installed from rpm, version 7.3.160127.



Since you are using PF_RING, is there a reason you are not configuring Snort with "--with-libpfring-includes" and 
"--with-libpfring-libraries". This may be completely irrelevant to the original issue, but this tells Snort where the 
PF_RING libraries are, like the DAQ libraries you have specified already.




Now.. it turned out there are conflict between them. I mean after installing Nprobe Snort doesn't want to run. 
Suddenly it returns error "error while lodaing shared libraries: libsnf.so.0: No such or directory". In Centos repo 
thers isn't such any > library. And when I uninstall pfring (which is needed by Nprobe), and Nprobe then also - Snort 
runs without problem (strange). So my quesion is: how to run Snort or how to tell it to it wasn't be dependent from 
that pfring.



Does this happen when both are running together? What happens if you stop (not remove) NProbe and run only Snort? I can 
think of two potential reasons to this, for which I stand corrected:

- Installing NProbe overwrites/unlinks something. Admittedly, I do not have any experience with NProbe.

- If you are installing PF_RING, then any sniffing app must be compiled against the PF_RING libraries. Example is 
tcpdump.


YM




Thanks,



Robert






------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: