Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort with OpenAppID and inline NFQ DAQ on Alpine Linux

From: "Costas Kleopa \(ckleopa\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 9 Aug 2019 18:48:18 +0000
I don’t think we support this platform for snort2 but we recently had some better support on Alpine Linux when using 
Snort3.

Our suggestion is to take a look at this also and see if that would meet your needs.

Thanks
Costas
https://snort.org/snort3


From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Matt Cooper <matt.cooper () veeasystems com>
Date: Friday, August 9, 2019 at 2:41 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] Snort with OpenAppID and inline NFQ DAQ on Alpine Linux

I am trying to run Snort 2.9.14 (with OpenAppID and inline NFQ DAQ) on Alpine Linux (v3.10). In order to get round some 
build problems with Snort I’ve added the libtirpc package (updating the CFLAGS & LDFLAGS accordingly) and built with 
the flags –enable-open-appid –enable-sourcefire.

Snort version info is:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.14 GRE (Build 15003)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3)
           Using PCRE version: 8.43 2019-02-23
           Using ZLIB version: 1.2.11

It appears that the DAQ NFQ is set up correctly:

Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv

When I run Snort there is a problem with the dynamic pre-processor, which can’t find some symbols (getrpcent & 
endrpcent) the shared object libsf_appid_preproc.so needs to locate. These functions are defined in the (Sun) RPC 
library that’s part of glibc, but because Alpine uses musl libc which doesn’t include the (Sun) RPC library, libtirpc 
is being used as a replacement for it.

This is the output from running Snort:

# snort -A full -hqsQ -c /etc/snort/snort.conf --daq-dir=/usr/local/lib/daq -K ascii
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 
5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 8280 8300 
8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 
3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 
8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
  Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... ERROR: 
Failed to load /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: Error relocating 
/usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: endrpcent: symbol not found
Fatal Error, Quitting.

The shared object dependencies for libsf_appid_preproc.so are:

# ldd /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0
                /lib/ld-musl-aarch64.so.1 (0xffff9b671000)
                libluajit-5.1.so.2 => /usr/lib/libluajit-5.1.so.2 (0xffff9b032000)
                libpcre.so.1 => /usr/lib/libpcre.so.1 (0xffff9afcf000)
                libcrypto.so.1.1 => /lib/libcrypto.so.1.1 (0xffff9ad84000)
                libc.musl-aarch64.so.1 => /lib/ld-musl-aarch64.so.1 (0xffff9b671000)
                libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0xffff9ad62000)
Error relocating /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0: endrpcent: symbol not found
Error relocating /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0: getrpcent: symbol not found

How can I resolve this issue? Is Alpine Linux a supported distro for Snort?
When I build without the –enable-open-appid flag, Snort runs as expected.

Many thanks,
Matt

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: