RHEL 6 with Snort 2.9.5.6-1 and PCRE 8.33 install issue (UNCLASSIFIED)

["Wright, Jonathon S CTR (US)" <jonathon.s.wright.ctr () mail mil>]

Classification: UNCLASSIFIED
Caveats: NONE

Based on the ./configure --help on both the snort and pcre I think I need to
do this simple step:

1. PCRE 8.34 - Build and put it to a specific directory 
mkdir /usr/local/bin/snort/pcre834
./configure --prefix=/usr/local/bin/snort/pcre834 && make && make install


2. Snort 2.9.5.6-1 - Build and specify the pcre 8.34 libraries to use 
./configure --with-libpcre-libraries=/usr/local/bin/snort/pcre834 ...(etc.,
really long configure options) && make && make install


Hows this look? Gonna do some backups, and some preparations, and then try
this out. 



-----Original Message-----
From: Hazen Valliant-Saunders [mailto:hazenvs () gmail com] 
Sent: Friday, December 27, 2013 11:46 AM
To: Wright, Jonathon S CTR (US)
Subject: RE: [Snort-devel] RHEL 6 with Snort 2.9.5.6-1 and PCRE 8.33 install
issue (UNCLASSIFIED)

.config --with-pcre=/new/pcre/path I think? 

Its been a while since I have done this so best to read the man for the
details. 

Usually if you run ./config --help the proper syntax may be displayed. 

On Dec 27, 2013 4:40 PM, "Wright, Jonathon S CTR (US)"
<jonathon.s.wright.ctr () mail mil> wrote:


        Classification: UNCLASSIFIED
        Caveats: NONE
        
        Thanks Hazen,
        
        It does appear that snort did pick up the old library path. I'll do
some
        research for the .config 'linker' (ldconfig?) and see what I can
find.
        Hopefully its something simple. I think I just need to re
./configure, make,
        make install pcre and snort to point to same paths. Just need to
figure out
        the 'how' part now. =)
        
        
        JW
        
        
        -----Original Message-----
        From: Hazen Valliant-Saunders [mailto:hazenvs () gmail com]
        Sent: Friday, December 27, 2013 11:09 AM
        To: Wright, Jonathon S CTR (US)
        Subject: Re: [Snort-devel] RHEL 6 with Snort 2.9.5.6-1 and PCRE 8.33
install
        issue (UNCLASSIFIED)
        
        Sounds like you may have to run the linker after the pcre install.
        (Ldconfig) or reboot the install before installing snort also check
your
        config arguments. (You .config file may have picked up the old
libaray path)
        
        Regards,
        Hazen
        
        On Dec 27, 2013 3:28 PM, "Wright, Jonathon S CTR (US)"
        <jonathon.s.wright.ctr () mail mil> wrote:
        
        
                Classification: UNCLASSIFIED
                Caveats: NONE
        
                Hey List,
        
                Here is the goal, I'm trying to install snort 2.9.5.6-1 on a
RHEL 6
        with
                pcre 8.33 (8.34 as of the 15th of this month).
                Below are the details of the process I am doing and issues
I'm
        running into.
                At the end, I listed 5 questions I need help with.
        
                I found one installation guide for RHEL 6 / snort 2.9.x on
how to do
        this
                and followed it for assistance:
                http://www.procyonlabs.com/guides/rhel/snort_db_by2/
        
        
                After completing the guide (minor modifications, but the
theory of
        it was
                followed), I did a simple version check of snort and its
        dependencies with a
                "snort -V".
                Snort returned this:
        
                # snort -V
        
                   ,,_     -*> Snort! <*-
                  o"  )~   Version 2.9.5.6 GRE (Build 208)
                   ''''    By Martin Roesch & The Snort Team:
                http://www.snort.org/snort/snort-team
                           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
                           Using libpcap version 1.4.0
                           Using PCRE version: 7.8 2008-09-05
                           Using ZLIB version: 1.2.3
        
                What caught my attention was the PCRE version, which is very
old and
        has a
                large number of release fixes / enhancements since 7.8, see
here:
                http://www.pcre.org/changelog.txt
        
        
                On FreeBSD (which we are migrating from), the output of the
"snort
        -V" is
                the same, except PCRE version is correct showing this:
                Using PCRE version: 8.33 2013-05-28
        
                So I figured I'd download the 8.34 version from pcre and
build from
        source
                and rebuild snort. Snort still reflected the old pcre
version.
                I talked to Red Hat, they indicated that they baselined pcre
at 7.8
        for
                RHEL6 OS and did not recommend / support it being
overwritten (due
        to OS
                binary dependencies such as grep).
        
                So here are my 5 questions:
        
                1. Is the guide I followed (above url) the best way to build
snort
        or is
                there a better guide? (has anyone else done RHEL 6 / snort
2.9.5.6 /
        pcre
                8.33)
                2. Why is snort not available for RHEL 6 as an rpm or
provided in
        any RHEL
                repository? This is going to be a maintenance nightmare if
        everything has to
                be built from source everytime a new version is released (we
have
        large
                number of servers).
                3. What is the impact of not having pcre 8.34? (40% of our
rules use
        pcre
                expressions)
                4. How do I compile / force snort to use the new pcre
libraries if
        #3 above
                is severe?
                5. Can I have to leave 2 versions of pcre (one for OS and
one for
        Snort) on
                the OS? If so how do I repeat #4 above when a new version of
snort /
        pcre
                comes out?
        
                If this should be on a different list also, let me know.
        
                Any insight is appreciated.
        
                JW
        
        
        
        
        
                Classification: UNCLASSIFIED
                Caveats: NONE
        
        
        
        
        
----------------------------------------------------------------------------
        --
                Rapidly troubleshoot problems before they affect your
business. Most
        IT
                organizations don't have a clear picture of how application
        performance
                affects their revenue. With AppDynamics, you get 100%
visibility
        into your
                Java,.NET, & PHP application. Start your 15-day FREE TRIAL
of
        AppDynamics Pro!
        
        
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
                _______________________________________________
                Snort-devel mailing list
                Snort-devel () lists sourceforge net
                https://lists.sourceforge.net/lists/listinfo/snort-devel
                Archive:
        
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
        
                Please visit http://blog.snort.org for the latest news about
Snort!
        
        
        
        Classification: UNCLASSIFIED
        Caveats: NONE
        
        
        


Classification: UNCLASSIFIED
Caveats: NONE

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!