Snort mailing list archives

Re: Possible bug in compiling snort 2.9.2.3

From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 19 Jun 2012 14:30:57 -0400

That's a bug.  Thanks for reporting it.

On Tue, Jun 19, 2012 at 11:41 AM, Valentin AVRAM <
valentin.avram () avangate com> wrote:

 Hello.

While trying to compile snort 2.9.2.3 to be used as a sensor-only, I tried
to disable all unnecessary features of it while keeping only the basic
functionalities.

I'm running Gentoo Linux so I'm using the USE-flags made available by the
distro's ebuild in order to select the features I need and drop those which
I don't require.

The configure options the ebuild detects from my USE-flags are:

 ./configure --prefix=/usr --build=i686-pc-linux-gnu --host=i686-pc-linux-gnu --mandir=/usr/share/man 
--infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --enable-shared 
--disable-static --disable-so-with-static-lib --enable-dynamicplugin --enable-zlib --disable-gre --disable-mpls 
--disable-targetbased --enable-decoder-preprocessor-rules --disable-ppm --enable-perfprofiling 
--enable-linux-smp-stats --disable-inline-init-failopen --enable-pthread --disable-debug --disable-debug-msgs 
--disable-corefiles --enable-dlclose --disable-active-response --disable-normalizer --disable-reload-error-restart 
--disable-react --disable-flexresp3 --enable-paf --disable-large-pcap --disable-aruba --without-mysql --without-odbc 
--without-postgresql --enable-ipv6 --enable-reload --disable-prelude --disable-build-dynamic-examples 
--disable-profile --disable-ppm-test --disable-intel-soft-cpm --disable-static-daq --disable-rzb-saac --without-oracle

As seen, I decided to disable active-response since it is a basic sensor,
not used in inline mode.

The configure is successful. However, when running make, the compilation
fails with the following error:

/bin/sh ../libtool --tag=CC   --mode=link i686-pc-linux-gnu-gcc  -O2 -march=i686 -pipe -fomit-frame-pointer 
-DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall  -Wl,-O1 -Wl,--as-needed -L/usr/lib -lpcre -L/usr/lib 
-ldnet -o snort debug.o decode.o encode.o active.o log.o mstring.o parser.o profiler.o plugbase.o snort.o  strlcatu.o 
strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o 
sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o detection_filter.o detection_util.o 
rate_filter.o obfuscation.o sfdaq.o idle_processing.o output-plugins/libspo.a detection-plugins/libspd.a 
dynamic-plugins/libdynamic.a preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a 
preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Stream5/libstream5.a sfutil/libsfutil.a 
control/libsfcontrol.a -lz -ldnet -lpcre -lpcap -lnsl -luuid -lm -lm  -ldl -ldaq -lz -lpthread -lpthread
libtool: link: i686-pc-linux-gnu-gcc -O2 -march=i686 -pipe -fomit-frame-pointer -DSF_VISIBILITY -fvisibility=hidden 
-fno-strict-aliasing -Wall -Wl,-O1 -o snort debug.o decode.o encode.o active.o log.o mstring.o parser.o profiler.o 
plugbase.o snort.o strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o 
fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o 
detection_filter.o detection_util.o rate_filter.o obfuscation.o sfdaq.o idle_processing.o  -Wl,--as-needed -L/usr/lib 
output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a preprocessors/libspp.a 
parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a 
preprocessors/Stream5/libstream5.a sfutil/libsfutil.a control/libsfcontrol.a /usr/lib/libdnet.so -lpcre -lpcap -lnsl 
-luuid -lm /usr/lib/libdaq.so -ldl -lz -lpthread
dynamic-plugins/libdynamic.a(sf_dynamic_plugins.o): In function `DynamicSendBlockResponseMsg':
sf_dynamic_plugins.c:(.text+0x934): undefined reference to `Active_SendData'
dynamic-plugins/libdynamic.a(sf_dynamic_plugins.o): In function `DynamicActiveSetEnabled':
sf_dynamic_plugins.c:(.text+0xa17): undefined reference to `Active_SetEnabled'
collect2: ld returned 1 exit status

My question now is the following:
Am I using a bad combination of flags? Why does dynamic_plugins need active-response which I explicitly disabled? And 
if the flag combination is wrong, why did the configure let me use it?
(for instance, the Gentoo ebuild does not allow me to disable the "dynamic_plugins" USE-flag since I have enabled the 
"zlib" USE-flag which allows for analysis of compressed HTTP connections)

If the combination of flags are right, then it's a bug in the source code.

I have submitted Gentoo bug #421775 ( https://bugs.gentoo.org/show_bug.cgi?id=421775 ) and also attached there a 
patch which allows the two functions (Active_SetEnabled and Active_SendData) to be visible and just do nothing if 
active-response is disabled.

However, since it's the first time I'm looking at Snort source code I'm not entirely sure the two Active_ functions 
should just do nothing, that is I'm not sure that the caller functions expect changes in the data they send to the 
Active_ functions, so that patch only allows the code to compile, but that may break functionality.

Please have a look at this issue and tell me if I'm using the wrong flag combination, or there is a bug in the code 
or if the patch should produce a working snort binary.

Thank you for your time.




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Possible bug in compiling snort 2.9.2.3 Valentin AVRAM (Jun 19)
- Re: Possible bug in compiling snort 2.9.2.3 Russ Combs (Jun 19)
  - Re: Possible bug in compiling snort 2.9.2.3 Valentin Avram (Jun 29)