Snort mailing list archives

Re: [Non-DoD Source] Re: Snort 2.9.8.0 no --enable-zlib option

From: "Gilbert, Sonia M CTR (US)" <sonia.m.gilbert.ctr () mail mil>
Date: Fri, 5 Feb 2016 04:07:52 +0000
Just wanted to give an update on this.  I am trying to install snort properly and am getting multiple issues.  One of 
the main issues is the install of pcre.  When I install version 8.37 and the install snort, then issue snort-V, it is 
reflecting an older version of pcre than 8.37.  I have found that file pcre.h inside the /usr/src/pcre-8.37 has the 
correct values.  Inside the snort folder is file that calls up pcre.h named sp_pcre.h.  How do I get snort to recognize 
the correct install and how can I verify that its using the correct one?

Very green at all this and really appreciate any help you can provide.

[root@ etc]# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.0 GRE (Build 229)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

###partial output from "more /usr/src/pcre-8.37/pcre.h"
/* The current PCRE version information. */

#define PCRE_MAJOR          8
#define PCRE_MINOR          37
#define PCRE_PRERELEASE
#define PCRE_DATE           2015-04-28

###From sp_pcre
[root@ etc]# more /usr/src/snort-2.9.8.0/src/detection-plugins/sp_pcre.h
/*
** Copyright (C) 2003 Brian Caswell <bmc () snort org>
** Copyright (C) 2003 Michael J. Pomraning <mjp () securepipe com>
** Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
** Copyright (C) 2003-2013 Sourcefire, Inc.
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License Version 2 as
** published by the Free Software Foundation.  You may not use, modify or
** distribute this program under any other version of the GNU General
** Public License.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

/*  I N C L U D E S
**********************************************************/

/*  D E F I N E S
************************************************************/
#ifndef __SNORT_PCRE_H__
#define __SNORT_PCRE_H__

// low nibble must be same as HTTP_BUFFER_*
// see detection_util.h for enum
#define SNORT_PCRE_HTTP_URI         0x00001 // check URI buffers
#define SNORT_PCRE_HTTP_HEADER      0x00002 // Check HTTP header buffer
#define SNORT_PCRE_HTTP_BODY        0x00003 // Check HTTP body buffer
#define SNORT_PCRE_HTTP_METHOD      0x00004 // Check HTTP method buffer
#define SNORT_PCRE_HTTP_COOKIE      0x00005 // Check HTTP cookie buffer
#define SNORT_PCRE_HTTP_STAT_CODE   0x00006
#define SNORT_PCRE_HTTP_STAT_MSG    0x00007
#define SNORT_PCRE_HTTP_RAW_URI     0x00008
#define SNORT_PCRE_HTTP_RAW_HEADER  0x00009
#define SNORT_PCRE_HTTP_RAW_COOKIE  0x0000A
#define SNORT_PCRE_HTTP_BUFS        0x0000F
#define SNORT_PCRE_RELATIVE         0x00010 // relative to the end of the last match
#define SNORT_PCRE_INVERT           0x00020 // invert detect
#define SNORT_PCRE_RAWBYTES         0x00040 // Don't use decoded buffer (if available)
#define SNORT_PCRE_ANCHORED         0x00080
#define SNORT_OVERRIDE_MATCH_LIMIT  0x00100 // Override default limits on match & match recursion

void SetupPcre(void);

#include <pcre.h>
typedef struct _PcreData
{
    pcre *re;           /* compiled regex */
    pcre_extra *pe;     /* studied regex foo */
    int options;        /* sp_pcre specfic options (relative & inverse) */
    char *expression;
    uint32_t search_offset;
} PcreData;

Thank you,


Sonia Gilbert
Regional Cyber Center-Pacific, CTR
Defensive Cyber Operations Division
(808) 438-0513
NIPR:  Sonia.m.gilbert.ctr () mail mil




-----Original Message-----
From: Gilbert, Sonia M CTR (US) [mailto:sonia.m.gilbert.ctr () mail mil] 
Sent: Thursday, February 04, 2016 2:21 PM
To: Snort-users () lists sourceforge net
Subject: [Non-DoD Source] Re: [Snort-users] Snort 2.9.8.0 no --enable-zlib option

All active links contained in this email were disabled.  Please verify the identity of the sender, and confirm the 
authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.  




----

Sorry forgot to include capture:
 Issued the configure:
./configure --with-libpcre-libraries=/usr/local/bin/pcre837/lib --with-libpcre-includes=/usr/local/bin/pcre837/include 
--enable-zlib --enable-gre --enable-mpls --disable-debug --enable-sourcefire  --enable-ppm  --disable-corefiles  
--enable-react  --enable-flexresp3 --enable-large-pcap --enable-targetbased --enable-perfprofiling --enable-reload 
--disable-non-ether-decoders --enable-normalizer --enable-active-response

Abbreviated previous output:
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
configure: WARNING: unrecognized options: --enable-zlib

Configure help does not have an option for it:


[root@SHAFM10ASWINT1 snort-2.9.8.0]# ./configure -help `configure' configures this package to adapt to many kinds of 
systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE.  See below for descriptions of some 
of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in `/usr/local/bin', `/usr/local/lib' etc.  You can specify an 
installation prefix other than `/usr/local' using `--prefix', for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/PACKAGE]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

Program names:
  --program-prefix=PREFIX            prepend PREFIX to installed program names
  --program-suffix=SUFFIX            append SUFFIX to installed program names
  --program-transform-name=PROGRAM   run sed PROGRAM on installed program names

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-silent-rules   less verbose build output (undo: "make V=1")
  --disable-silent-rules  verbose build output (undo: "make V=0")
  --enable-dependency-tracking
                          do not reject slow dependency extractors
  --disable-dependency-tracking
                          speeds up one-time build
  --enable-shared[=PKGS]  build shared libraries [default=yes]
  --enable-static[=PKGS]  build static libraries [default=yes]
  --enable-fast-install[=PKGS]
                          optimize for fast installation [default=yes]
  --disable-libtool-lock  avoid locking (might break parallel builds)
  --enable-64bit-gcc       Try to compile 64bit (only tested on Sparc Solaris 9 and 10).
  --enable-so-with-static-lib  Enable linking of dynamically loaded preprocessors with a static preprocessor library
  --enable-control-socket  Enable the control socket
  --enable-side-channel    Enable the side channel (Experimental)
  --disable-static-daq     Link static DAQ modules.
  --enable-build-dynamic-examples   Enable building of example dynamically loaded preprocessor and rule (off by default)
  --disable-dlclose        Only use if you are developing dynamic preprocessors or shared object rules.  Disable 
(--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported.  Enabled by 
default.
  --disable-lzma           Disable LZMA Decompression
  --disable-gre            Disable GRE and IP in IP encapsulation support
  --disable-mpls           Disable MPLS support
  --disable-targetbased    Disable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)
  --disable-ppm            Disable packet/rule performance monitor
  --disable-perfprofiling  Disable preprocessor and rule performance profiling
  --enable-linux-smp-stats Enable statistics reporting through proc
  --enable-inline-init-failopen  Enable Fail Open during initialization for Inline Mode (adds pthread support 
implicitly)
  --disable-pthread        Disable pthread support
  --enable-debug-msgs      Enable debug printing options (bugreports and developers only)
  --enable-debug           Enable debugging options (bugreports and developers only)
  --enable-gdb             Enable gdb debugging information
  --enable-profile         Enable profiling options (developers only)
  --enable-test-coverage   Enable gcov test coverage tracking (developers only)
  --disable-ppm-test       Disable packet/rule performance monitor
  --enable-sourcefire      Enable Sourcefire specific build options, encompasing --enable-perfprofiling and --enable-ppm
  --disable-corefiles      Prevent Snort from generating core files
  --disable-active-response Disable reject injection
  --disable-normalizer     Disable packet/stream normalizations
  --disable-reload         Disable reloading a configuration without restarting
  --disable-reload-error-restart   Disable restarting on reload error
  --enable-ha              Enable high-availability state sharing (Experimental)
  --enable-non-ether-decoders  Enable non Ethernet decoders.
  --disable-react          Disable interception and termination of offending HTTP accesses
  --disable-flexresp3      Disable flexible responses (v3) on hostile connection attempts
  --enable-intel-soft-cpm  Enable Intel Soft CPM support
  --enable-shared-rep      Enable use of Shared Memory for Reputation (Linux only)
  --enable-large-pcap      Enable support for pcaps larger than 2 GB
  --enable-file-inspect   Build with extended file inspection features.
                          (Experimental)
  --enable-open-appid     Build with application id support. (Experimental)

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --with-pic[=PKGS]       try to use only PIC/non-PIC objects [default=use
                          both]
  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
  --with-sysroot=DIR Search for dependent libraries within DIR
                        (or the compiler's sysroot if not specified).
  --with-libpcap-includes=DIR    libpcap include directory
  --with-libpcap-libraries=DIR   libpcap library directory
  --with-libpfring-includes=DIR  libpfring include directory
  --with-libpfring-libraries=DIR libpfring library directory
  --with-daq-includes=DIR        DAQ include directory
  --with-daq-libraries=DIR       DAQ library directory
  --with-libpcre-includes=DIR    libpcre include directory
  --with-libpcre-libraries=DIR   libpcre library directory
  --with-openssl-includes=DIR    openssl include directory
  --with-openssl-libraries=DIR   openssl library directory
  --with-dnet-includes=DIR       libdnet include directory
  --with-dnet-libraries=DIR      libdnet library directory
  --with-lzma-includes=DIR       liblzma include directory
  --with-lzma-libraries=DIR      liblzma library directory
  --with-intel-soft-cpm-includes=DIR      Intel Soft CPM include directory
  --with-intel-soft-cpm-libraries=DIR     Intel Soft CPM library directory

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
  CPP         C preprocessor
  SIGNAL_SNORT_RELOAD
              set the SIGNAL_SNORT_RELOAD value
  SIGNAL_SNORT_DUMP_STATS
              set the SIGNAL_SNORT_DUMP_STATS value
  SIGNAL_SNORT_ROTATE_STATS
              set the SIGNAL_SNORT_ROTATE_STATS value
  SIGNAL_SNORT_READ_ATTR_TBL
              set the SIGNAL_SNORT_READ_ATTR_TBL value
  PKG_CONFIG  path to pkg-config utility
  PKG_CONFIG_PATH
              directories to add to pkg-config's search path
  PKG_CONFIG_LIBDIR
              path overriding pkg-config's built-in search path
  luajit_CFLAGS
              C compiler flags for luajit, overriding pkg-config
  luajit_LIBS linker flags for luajit, overriding pkg-config

Use these variables to override the choices made by `configure' or to help it to find libraries and programs with 
nonstandard names/locations.

Report bugs to the package provider.
[root@SHAFM10ASWINT1 snort-2.9.8.0]#

-----Original Message-----
From: Gilbert, Sonia M CTR (US)
Sent: Thursday, February 04, 2016 2:17 PM
To: 'Snort-users () lists sourceforge net' <Snort-users () lists sourceforge net>
Subject: Snort 2.9.8.0 no --enable-zlib option

Dear Snort Community,

I am trying to install Snort 2.9.8.0 and get the following warning:
configure: WARNING: unrecognized options: --enable-zlib

Was zlib replaced by utility?  

Sonia Gilbert
Regional Cyber Center-Pacific, CTR
Defensive Cyber Operations Division
(808) 438-0513
NIPR:  Sonia.m.gilbert.ctr () mail mil


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances 
at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve 
end-user experience. Signup Now!
Caution-http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Caution-https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
Caution-http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit Caution-http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Snort 2.9.8.0 no --enable-zlib option Gilbert, Sonia M CTR (US) (Feb 04)
- <Possible follow-ups>
- Re: Snort 2.9.8.0 no --enable-zlib option Gilbert, Sonia M CTR (US) (Feb 04)
  - Re: [Non-DoD Source] Re: Snort 2.9.8.0 no --enable-zlib option Gilbert, Sonia M CTR (US) (Feb 04)
- Re: Snort 2.9.8.0 no --enable-zlib option Ed Borgoyn (eborgoyn) (Feb 05)