Snort mailing list archives
Re: Snort with OpenAppID and inline NFQ DAQ on Alpine Linux
From: "Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 9 Aug 2019 18:42:01 +0000
Check this out Matt: https://www.snort.org/documents/snort-supported-oses Sent from my iPad
On Aug 9, 2019, at 11:40, Matt Cooper <matt.cooper () veeasystems com> wrote: I am trying to run Snort 2.9.14 (with OpenAppID and inline NFQ DAQ) on Alpine Linux (v3.10). In order to get round some build problems with Snort I’ve added the libtirpc package (updating the CFLAGS & LDFLAGS accordingly) and built with the flags –enable-open-appid –enable-sourcefire. Snort version info is: ,,_ -*> Snort! <*- o" )~ Version 2.9.14 GRE (Build 15003) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3) Using PCRE version: 8.43 2019-02-23 Using ZLIB version: 1.2.11 It appears that the DAQ NFQ is set up correctly: Available DAQ modules: pcap(v3): readback live multi unpriv nfq(v7): live inline multi ipfw(v3): live inline multi unpriv dump(v3): readback live inline multi unpriv afpacket(v5): live inline multi unpriv When I run Snort there is a problem with the dynamic pre-processor, which can’t find some symbols (getrpcent & endrpcent) the shared object libsf_appid_preproc.so needs to locate. These functions are defined in the (Sun) RPC library that’s part of glibc, but because Alpine uses musl libc which doesn’t include the (Sun) RPC library, libtirpc is being used as a replacement for it. This is the output from running Snort: # snort -A full -hqsQ -c /etc/snort/snort.conf --daq-dir=/usr/local/lib/daq -K ascii Running in IDS mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/etc/snort/snort.conf" PortVar 'HTTP_PORTS' defined : [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] PortVar 'FILE_DATA_PORTS' defined : [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ] PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules. Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... ERROR: Failed to load /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: Error relocating /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: endrpcent: symbol not found Fatal Error, Quitting. The shared object dependencies for libsf_appid_preproc.so are: # ldd /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0 /lib/ld-musl-aarch64.so.1 (0xffff9b671000) libluajit-5.1.so.2 => /usr/lib/libluajit-5.1.so.2 (0xffff9b032000) libpcre.so.1 => /usr/lib/libpcre.so.1 (0xffff9afcf000) libcrypto.so.1.1 => /lib/libcrypto.so.1.1 (0xffff9ad84000) libc.musl-aarch64.so.1 => /lib/ld-musl-aarch64.so.1 (0xffff9b671000) libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0xffff9ad62000) Error relocating /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0: endrpcent: symbol not found Error relocating /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0: getrpcent: symbol not found How can I resolve this issue? Is Alpine Linux a supported distro for Snort? When I build without the –enable-open-appid flag, Snort runs as expected. Many thanks, Matt _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort with OpenAppID and inline NFQ DAQ on Alpine Linux Matt Cooper (Aug 09)
- Re: Snort with OpenAppID and inline NFQ DAQ on Alpine Linux Joel Esler (jesler) via Snort-devel (Aug 09)
- <Possible follow-ups>
- Re: Snort with OpenAppID and inline NFQ DAQ on Alpine Linux Costas Kleopa (ckleopa) via Snort-devel (Aug 09)