Re: Ubuntu 18 and so rules error

[Y M via Snort-users <snort-users () lists snort org>]

Same results over here with malware-other.so.

ERROR: Failed to load /usr/local/snort/lib/snort_dynamicrules/malware-other.so: 
/usr/local/snort/lib/snort_dynamicrules/malware-other.so: undefined symbol: sin

$ ldd /usr/local/snort/lib/snort_dynamicrules/malware-other.so
linux-vdso.so.1 (0x00007ffd4f9fe000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa326064000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa326781000)

..and ldd for protocol-dns.so for comparison sake.

$ ldd /usr/local/snort/lib/snort_dynamicrules/protocol-dns.so
linux-vdso.so.1 (0x00007ffe5c5ec000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f08aaf9c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f08ab5bf000)

YM

________________________________
From: Snort-users <snort-users-bounces () lists snort org> on behalf of Russ via Snort-users <snort-users () lists 
snort org>
Sent: Wednesday, June 20, 2018 5:19 AM
To: jlay () slave-tothe-box net; Patrick Mullen (pamullen); Snort
Subject: Re: [Snort-users] Ubuntu 18 and so rules error

Hey James,

Can you send the ldd output for protocol-dns.so?

Thanks
Russ

On 6/19/18 8:29 PM, James Lay wrote:

Alas I got the same results:

An error occurred: Loading dynamic detection library /opt/snort/lib/snort_dynamicrules/protocol-dns.so... ERROR: Failed 
to load /opt/snort/lib/snort_dynamicrules/protocol-dns.so: /opt/snort/lib/snort_dynamicrules/protocol-dns.so: undefined 
symbol: log

file info:

-rwxr-xr-x 1 root root 445824 Jun 18 11:28 /opt/snort/lib/snort_dynamicrules/protocol-dns.so

My snort was compiled like so:

./configure --prefix=/opt/snort --enable-non-ether-decoders --enable-sourcefire --enable-shared-rep 
--enable-control-socket --enable-file-inspect --with-daq-includes=/opt/daq/include --with-daq-libraries=/opt/daq/lib 
--with-dnet-includes=/opt/libdnet/include --with-dnet-libraries=/opt/libdnet/lib

libdnet like so:

./configure --prefix=/opt/libdnet CFLAGS=-fPIC -g -O2

and daq like so:

./configure --prefix=/opt/daq

That info might help.  If you'd like and have the time Patrick ping me off list and I can get you ssh access and you 
can go to town...thank you!

James

On 2018-06-19 09:57, James Lay wrote:

Thanks Patrick...will test on that dev box today and report my findings.

James

On 2018-06-18 13:25, Patrick Mullen (pamullen) wrote:

James, Y M, and anyone else experiencing this issue.



We've made a build change from feedback given to me by Russ, so please report back after our next release, which should 
be some time tomorrow, Tuesday, 19 June, and let me know if the issue has been resolved.  Unfortunately, I don't have 
the issue myself so I can't test it, but it should fix it.  :crosses fingers:  Thanks for your patience and assistance.





Thanks,



~Patrick





From: "Patrick Mullen (pamullen)" <pamullen () cisco com><mailto:pamullen () cisco com>
Date: Friday, June 15, 2018 at 1:13 PM
To: "jlay () slave-tothe-box net"<mailto:jlay () slave-tothe-box net> <jlay () slave-tothe-box net><mailto:jlay () 
slave-tothe-box net>
Cc: "snort-users () lists snort org"<mailto:snort-users () lists snort org> <snort-users () lists snort 
org><mailto:snort-users () lists snort org>
Subject: Re: [Snort-users] Ubuntu 18 and so rules error



James,



I'm at a loss.  Let me google and think about this and get back to you.  Maybe it's a a versioning issue?



Anyone else have/seen this issue?





Thanks,



~Patrick



From: James Lay <jlay () slave-tothe-box net><mailto:jlay () slave-tothe-box net>
Reply-To: "jlay () slave-tothe-box net"<mailto:jlay () slave-tothe-box net> <jlay () slave-tothe-box net><mailto:jlay 
() slave-tothe-box net>
Date: Thursday, June 14, 2018 at 5:44 PM
To: "Patrick Mullen (pamullen)" <pamullen () cisco com><mailto:pamullen () cisco com>
Cc: "snort-users () lists snort org"<mailto:snort-users () lists snort org> <snort-users () lists snort 
org><mailto:snort-users () lists snort org>
Subject: Re: [Snort-users] Ubuntu 18 and so rules error



Yes....of note I am not compiling the rules, just using pulled pork to do it's thing.

James

On 2018-06-14 08:50, Patrick Mullen (pamullen) wrote:

To be clear, my example code ran first try?  Does snort continue to throw that error?





~Patrick



From: James Lay <jlay () slave-tothe-box net><mailto:jlay () slave-tothe-box net>



Ran like a champ:

<snip screenshot>

now we're having some fun!

James

On 2018-06-13 09:20, Patrick Mullen (pamullen) wrote:

James,



Here's a quick test.  If this doesn't work, then install whatever google tells you and it should fix the snort loading 
problem.  If it does, then I'm a little confused and we'll have to look into this further.











_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette







_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette