Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can't find nfq DAQ

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 07 Mar 2014 10:10:24 -0700
On 2014-03-06 18:01, James Lay wrote:

Topic says it....so here's the setup:

 Slackware 13.1 x64

 compiled:
 libmnl-1.0.3
 libnetfilter_queue-1.0.2
 libnfnetlink-1.0.1

 from source all with:
 ./configure --prefix=/usr --libdir=/usr/lib64 --enable-static=no

 snort --daq-dir /usr/local/lib/daq --daq-list

 Available DAQ modules:
 nfq(v7): live inline multi
 pcap(v3): readback live multi unpriv
 ipq(v6): live inline multi
 ipfw(v3): live inline multi unpriv
 dump(v2): readback live inline multi unpriv
 afpacket(v5): live inline multi unpriv

 but for the life of me it just doesn't load up. Misc info:

 ldd `which snort`
 linux-vdso.so.1 => (0x00007fff8c151000)
 libcrypto.so.0 => /lib64/libcrypto.so.0 (0x00007fb2a7a11000)
 libpcre.so.0 => /usr/lib64/libpcre.so.0 (0x00007fb2a77ec000)
 libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fb2a75d2000)
 libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fb2a73cf000)
 libm.so.6 => /lib64/libm.so.6 (0x00007fb2a714c000)
 libdl.so.2 => /lib64/libdl.so.2 (0x00007fb2a6f48000)
 libipq.so.0 => /usr/lib64/libipq.so.0 (0x00007fb2a6d46000)
 libnetfilter_queue.so.1 => /usr/lib64/libnetfilter_queue.so.1
(0x00007fb2a6b40000)
 libnfnetlink.so.0 => /usr/lib64/libnfnetlink.so.0
(0x00007fb2a693a000)
 libmnl.so.0 => /usr/lib64/libmnl.so.0 (0x00007fb2a6736000)
 libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007fb2a6511000)
 libpcap.so.1 => /usr/lib64/libpcap.so.1 (0x00007fb2a62dd000)
 libdnet.1 => /lib64/libdnet.1 (0x00007fb2a60cb000)
 libz.so.1 => /usr/lib64/libz.so.1 (0x00007fb2a5eb7000)
 libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb2a5c9a000)
 libc.so.6 => /lib64/libc.so.6 (0x00007fb2a5925000)
 /lib64/ld-linux-x86-64.so.2 (0x00007fb2a7d97000)

 Any hints would be appreciated...thanks!

 James


So I've recompiled libmnl-1.0.3, libnetfilter_queue-1.0.2, and 
libnfnetlink-1.0.1 with:

   ./configure --prefix=/usr --libdir=/usr/lib64

And now this is workin:
[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 277
|     1 byte states : 258
|     2 byte states : 19
|     4 byte states : 0
| Characters        : 252619
| States            : 128280
| Transitions       : 11337169
| State Density     : 34.5%
| Patterns          : 16572
| Match States      : 14688
| Memory (MB)       : 70.03
|   Patterns        : 1.75
|   Match Lists     : 5.34
|   DFA
|     1 byte states : 1.82
|     2 byte states : 60.52
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 3790 ]
nfq DAQ configured to inline.

Hope that helps someone.

James


------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: