Snort mailing list archives

Re: Problems Enabling IPQ and NFQ

From: MMartin () jwpepper com
Date: Fri, 7 Mar 2014 14:55:19 -0500

YM, 

I'm pretty positive I've installed all of those packages. I'm not in front if my PC right now to see, but I will be 
shortly and I'll double check.

I used the YaST Software Manager to install them. But I'll double check and post back shortly. Thanks for the reply!

-Matt

Sent from my Verizon Wireless 4G LTE DROID

Y M <snort () outlook com> wrote:



Did you install the IPQ and NFQ dependencies? A quick scan through the output of your ./configure command shows that 
these may be not installed or in appropriately linked:
 
checking libipq.h usability... no 
checking libipq.h presence... no 
checking for libipq.h... no 
checking for linux/netfilter.h... yes 
checking for netinet/in.h... (cached) yes 
checking libnetfilter_queue/libnetfilter_queue.h usability... no 
checking libnetfilter_queue/libnetfilter_queue.h presence... no 
checking for libnetfilter_queue/libnetfilter_queue.h... no 

YM 
To: snort-users () lists sourceforge net
From: MMartin () jwpepper com
Date: Fri, 7 Mar 2014 14:26:25 -0500
Subject: [Snort-users] Problems Enabling IPQ and NFQ

Hello All,



OS: OpenSuSE 12.3  (x86_64)

Snort v2.9.6.0

DAQ v2.0.2

Barnyard2 1.9



So I'm trying to integrate Barnyard2
and Snort together (*which I also can't seem to figure out...) and
during the process of that I realized that the IPQ and NFQ modules are
not working for some reason after I tried using both in the Snort Config
file. I have already installed DAQ, but at the time I didn't really pay
much attention to the output from the configure command since it succeeded,
and I wouldn't have known what to look for anyway...



But anyway, when I attempt to run
the ./configure command again and again, to re-build DAQ I get the following
output shown below. And I'm almost positive I have all the required libraries
installed, so I'm not sure if it's just that the configure command can't
find them..?



I've tried lots of variations of
"./configure [options]" command, but none have seemed to enable
IPQ and NFQ... Most of these configure command examples I found online
of people experiencing the similar issue as me...

# ./configure --libdir=/usr/lib64
--include=/usr/include

# ./configure --libdir=/usr/local/lib64
--include=/usr/include

# ./configure --libdir=/usr/lib64
--enable-ipq-module=yes

# ./configure --with-libpcap-includes=/usr/include/libnetfilter_queue
--with-libpcap-libraries=/usr/lib64 --enable-ipq-module

# ./configure --with-libpcap-includes=/usr/include/libnetfilter_queue
--with-libpcap-libraries=/usr/lib64 --enable-ipq-module=yes





There were definitely a few other
variations of those, but I got pretty much the same result with all of
them.



Output from './configure' Command:

configure: loading site script /usr/share/site/x86_64-unknown-linux-gnu

checking for a BSD-compatible install...
/usr/bin/install -c

checking whether build environment
is sane... yes

checking for a thread-safe mkdir
-p... /usr/bin/mkdir -p

checking for gawk... gawk

checking whether make sets $(MAKE)...
yes

checking for gcc... gcc

checking whether the C compiler
works... yes

checking for C compiler default
output file name... a.out

checking for suffix of executables...


checking whether we are cross compiling...
no

checking for suffix of object files...
o

checking whether we are using the
GNU C compiler... yes

checking whether gcc accepts -g...
yes

checking for gcc option to accept
ISO C89... none needed

checking for style of include used
by make... GNU

checking dependency style of gcc...
gcc3

checking build system type... x86_64-unknown-linux-gnu

checking host system type... x86_64-unknown-linux-gnu

checking how to print strings...
printf

checking for a sed that does not
truncate output... /usr/bin/sed

checking for grep that handles long
lines and -e... /usr/bin/grep

checking for egrep... /usr/bin/grep
-E

checking for fgrep... /usr/bin/grep
-F

checking for ld used by gcc... /usr/x86_64-suse-linux/bin/ld

checking if the linker (/usr/x86_64-suse-linux/bin/ld)
is GNU ld... yes

checking for BSD- or MS-compatible
name lister (nm)... /usr/bin/nm -B

checking the name lister (/usr/bin/nm
-B) interface... BSD nm

checking whether ln -s works...
yes

checking the maximum length of command
line arguments... 1572864

checking whether the shell understands
some XSI constructs... yes

checking whether the shell understands
"+="... yes

checking how to convert x86_64-unknown-linux-gnu
file names to x86_64-unknown-linux-gnu format... func_convert_file_noop

checking how to convert x86_64-unknown-linux-gnu
file names to toolchain format... func_convert_file_noop

checking for /usr/x86_64-suse-linux/bin/ld
option to reload object files... -r

checking for objdump... objdump

checking how to recognize dependent
libraries... pass_all

checking for dlltool... no

checking how to associate runtime
and link libraries... printf %s\n

checking for ar... ar

checking for archiver @FILE support...
@

checking for strip... strip

checking for ranlib... ranlib

checking command to parse /usr/bin/nm
-B output from gcc object... ok

checking for sysroot... no

checking for mt... mt

checking if mt is a manifest tool...
no

checking how to run the C preprocessor...
gcc -E

checking for ANSI C header files...
yes

checking for sys/types.h... yes

checking for sys/stat.h... yes

checking for stdlib.h... yes

checking for string.h... yes

checking for memory.h... yes

checking for strings.h... yes

checking for inttypes.h... yes

checking for stdint.h... yes

checking for unistd.h... yes

checking for dlfcn.h... yes

checking for objdir... .libs

checking if gcc supports -fno-rtti
-fno-exceptions... no

checking for gcc option to produce
PIC... -fPIC -DPIC

checking if gcc PIC flag -fPIC -DPIC
works... yes

checking if gcc static flag -static
works... no

checking if gcc supports -c -o file.o...
yes

checking if gcc supports -c -o file.o...
(cached) yes

checking whether the gcc linker
(/usr/x86_64-suse-linux/bin/ld -m elf_x86_64) supports shared libraries...
yes

checking whether -lc should be explicitly
linked in... no

checking dynamic linker characteristics...
GNU/Linux ld.so

checking how to hardcode library
paths into programs... immediate

checking whether stripping libraries
is possible... yes

checking if libtool supports shared
libraries... yes

checking whether to build shared
libraries... yes

checking whether to build static
libraries... yes

checking for visibility support...
yes

checking CFLAGS for gcc -Wall...
-Wall

checking CFLAGS for gcc -Wwrite-strings...
-Wwrite-strings

checking CFLAGS for gcc -Wsign-compare...
-Wsign-compare

checking CFLAGS for gcc -Wcast-align...
-Wcast-align

checking CFLAGS for gcc -Wextra...
-Wextra

checking CFLAGS for gcc -Wformat...
-Wformat

checking CFLAGS for gcc -Wformat-security...
-Wformat-security

checking CFLAGS for gcc -Wno-unused-parameter...
-Wno-unused-parameter

checking CFLAGS for gcc -fno-strict-aliasing...
-fno-strict-aliasing

checking CFLAGS for gcc -fdiagnostics-show-option...
-fdiagnostics-show-option

checking CFLAGS for gcc -pedantic
-std=c99 -D_GNU_SOURCE... -pedantic -std=c99 -D_GNU_SOURCE

checking for getaddrinfo... yes

checking for flex... flex

checking for flex 2.4 or higher...
yes

checking for bison... bison

checking linux/if_ether.h usability...
yes

checking linux/if_ether.h presence...
yes

checking for linux/if_ether.h...
yes

checking linux/if_packet.h usability...
yes

checking linux/if_packet.h presence...
yes

checking for linux/if_packet.h...
yes

checking whether TPACKET2_HDRLEN
is declared... yes

checking whether PACKET_TX_RING
is declared... yes

checking pcap.h usability... yes

checking pcap.h presence... yes

checking for pcap.h... yes

checking for pcap_lib_version in
-lpcap... yes

checking netinet/in.h usability...
yes

checking netinet/in.h presence...
yes

checking for netinet/in.h... yes

checking libipq.h usability... no

checking libipq.h presence... no

checking for libipq.h... no

checking for linux/netfilter.h...
yes

checking for netinet/in.h... (cached)
yes

checking libnetfilter_queue/libnetfilter_queue.h
usability... no

checking libnetfilter_queue/libnetfilter_queue.h
presence... no

checking for libnetfilter_queue/libnetfilter_queue.h...
no

checking for linux/netfilter.h...
(cached) yes

checking for pcap.h... (cached)
yes

checking for pcap_lib_version...
checking for pcap_lib_version in -lpcap... (cached) yes

checking for libpcap version >=
"1.0.0"... yes

checking for dlopen in -ldl... yes

checking for inttypes.h... (cached)
yes

checking for memory.h... (cached)
yes

checking netdb.h usability... yes

checking netdb.h presence... yes

checking for netdb.h... yes

checking for netinet/in.h... (cached)
yes

checking for stdint.h... (cached)
yes

checking for stdlib.h... (cached)
yes

checking for string.h... (cached)
yes

checking sys/ioctl.h usability...
yes

checking sys/ioctl.h presence...
yes

checking for sys/ioctl.h... yes

checking sys/param.h usability...
yes

checking sys/param.h presence...
yes

checking for sys/param.h... yes

checking sys/socket.h usability...
yes

checking sys/socket.h presence...
yes

checking for sys/socket.h... yes

checking sys/time.h usability...
yes

checking sys/time.h presence...
yes

checking for sys/time.h... yes

checking for unistd.h... (cached)
yes

checking for inline... inline

checking for size_t... yes

checking for uint16_t... yes

checking for uint32_t... yes

checking for uint64_t... yes

checking for uint8_t... yes

checking for stdlib.h... (cached)
yes

checking for GNU libc compatible
malloc... yes

checking for stdlib.h... (cached)
yes

checking for unistd.h... (cached)
yes

checking for sys/param.h... (cached)
yes

checking for getpagesize... yes

checking for working mmap... yes

checking for gethostbyname... yes

checking for getpagesize... (cached)
yes

checking for memset... yes

checking for munmap... yes

checking for socket... yes

checking for strchr... yes

checking for strcspn... yes

checking for strdup... yes

checking for strerror... yes

checking for strrchr... yes

checking for strstr... yes

checking for strtoul... yes

configure: creating ./config.status

config.status: creating Makefile

config.status: creating api/Makefile

config.status: creating os-daq-modules/Makefile

config.status: creating os-daq-modules/daq-modules-config

config.status: creating sfbpf/Makefile

config.status: creating config.h

config.status: config.h is unchanged

config.status: executing depfiles
commands

config.status: executing libtool
commands



Build AFPacket DAQ module.. : yes

Build Dump DAQ module...... : yes

Build IPFW DAQ module...... : yes

Build IPQ DAQ module....... :
no

Build NFQ DAQ module....... :
no

Build PCAP DAQ module...... : yes





Here is snort command output
for --daq-list:

# snort --daq-list=/usr/lib64/daq

        /usr/lib64/daq/daq_ipq.so:
dlsym: /usr/lib64/daq/daq_ipq.so: undefined symbol: DAQ_MODULE_DATA

        /usr/lib64/daq/libipq.so:
dlsym: /usr/lib64/daq/libipq.so: undefined symbol: DAQ_MODULE_DATA

        Available
DAQ modules:

        pcap(v3):
readback live multi unpriv

        ipfw(v3):
live inline multi unpriv

        dump(v2):
readback live inline multi unpriv

        afpacket(v5):
live inline multi unpriv





Any thoughts or suggestions would
be GREATLY appreciated! Kind of stuck and going in circles here....



Thanks in Advance,

Matt




------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Problems Enabling IPQ and NFQ MMartin (Mar 07)
- Re: Problems Enabling IPQ and NFQ Y M (Mar 07)
- Re: Problems Enabling IPQ and NFQ Hui cao (Mar 07)
  - Re: Problems Enabling IPQ and NFQ MMartin (Mar 07)
    - Re: Problems Enabling IPQ and NFQ MMartin (Mar 07)
    - Re: Problems Enabling IPQ and NFQ James Lay (Mar 07)
    - Re: Problems Enabling IPQ and NFQ MMartin (Mar 11)
- <Possible follow-ups>
- Re: Problems Enabling IPQ and NFQ MMartin (Mar 07)
- Problems Enabling IPQ and NFQ MMartin (Mar 10)