Snort mailing list archives

Re: Snort with OpenAppID and inline NFQ DAQ on Alpine Linux

From: "Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>
Date: Fri, 9 Aug 2019 18:42:01 +0000

Check this out Matt:

https://www.snort.org/documents/snort-supported-oses



Sent from my  iPad

On Aug 9, 2019, at 11:40, Matt Cooper <matt.cooper () veeasystems com> wrote:


I am trying to run Snort 2.9.14 (with OpenAppID and inline NFQ DAQ) on Alpine Linux (v3.10). In order to get round 
some build problems with Snort I’ve added the libtirpc package (updating the CFLAGS & LDFLAGS accordingly) and built 
with the flags –enable-open-appid –enable-sourcefire.
 
Snort version info is:
 
   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.14 GRE (Build 15003)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.9.0-PRE-GIT (with TPACKET_V3)
           Using PCRE version: 8.43 2019-02-23
           Using ZLIB version: 1.2.11
 
It appears that the DAQ NFQ is set up correctly:
 
Available DAQ modules:
pcap(v3): readback live multi unpriv
nfq(v7): live inline multi
ipfw(v3): live inline multi unpriv
dump(v3): readback live inline multi unpriv
afpacket(v5): live inline multi unpriv
 
When I run Snort there is a problem with the dynamic pre-processor, which can’t find some symbols (getrpcent & 
endrpcent) the shared object libsf_appid_preproc.so needs to locate. These functions are defined in the (Sun) RPC 
library that’s part of glibc, but because Alpine uses musl libc which doesn’t include the (Sun) RPC library, libtirpc 
is being used as a replacement for it.
 
This is the output from running Snort:
 
# snort -A full -hqsQ -c /etc/snort/snort.conf --daq-dir=/usr/local/lib/daq -K ascii
Running in IDS mode
 
        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 
4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180:8181 8243 
8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 
3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 
8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 34443:34444 41080 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules.
  Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so... ERROR: 
Failed to load /usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: Error relocating 
/usr/local/lib/snort_dynamicpreprocessor//libsf_appid_preproc.so: endrpcent: symbol not found
Fatal Error, Quitting.
 
The shared object dependencies for libsf_appid_preproc.so are:
 
# ldd /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0
                /lib/ld-musl-aarch64.so.1 (0xffff9b671000)
                libluajit-5.1.so.2 => /usr/lib/libluajit-5.1.so.2 (0xffff9b032000)
                libpcre.so.1 => /usr/lib/libpcre.so.1 (0xffff9afcf000)
                libcrypto.so.1.1 => /lib/libcrypto.so.1.1 (0xffff9ad84000)
                libc.musl-aarch64.so.1 => /lib/ld-musl-aarch64.so.1 (0xffff9b671000)
                libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0xffff9ad62000)
Error relocating /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0: endrpcent: symbol not found
Error relocating /usr/local/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so.0.0.0: getrpcent: symbol not found
 
How can I resolve this issue? Is Alpine Linux a supported distro for Snort?
When I build without the –enable-open-appid flag, Snort runs as expected.
 
Many thanks,
Matt
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Attachment: smime.p7s
Description:

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Snort with OpenAppID and inline NFQ DAQ on Alpine Linux Matt Cooper (Aug 09)
- Re: Snort with OpenAppID and inline NFQ DAQ on Alpine Linux Joel Esler (jesler) via Snort-devel (Aug 09)
- <Possible follow-ups>
- Re: Snort with OpenAppID and inline NFQ DAQ on Alpine Linux Costas Kleopa (ckleopa) via Snort-devel (Aug 09)