[Snort-devel] Possible bug in compiling snort 2.9.2.3

Steven Sturges steve.sturges at ...402...
Thu Jul 19 11:34:29 EDT 2012


Hi Valentin--

2.9.3 was already packaged up and with our test group.  Given that there 
is a work-around, the changes for this issue didn't make the
2.9.3 release.

The changes are already in for the next patch release of Snort,
so you should see it there.

Cheers.
-steve

On 7/19/12 4:51 AM, Valentin Avram wrote:
> Hello.
>
> Since snort 2.9.3.0 has been released, I decided to check if this issue has been fixed.
>
> Couldn't find anything in the Changelog about this issue (there is an issue referring to compilation error when active response is disabled, but it was part of snort 2.9.1).
>
> So I downloaded the source of 2.9.3.0, fixed the ./configure (since snort no longer supports outputs to databases, aruba or prelude), and the compilation still fails.
>
> New ./configure:
> ./configure --prefix=/usr --build=i686-pc-linux-gnu --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --enable-shared --disable-static --disable-so-with-static-lib --enable-dynamicplugin --enable-zlib --disable-gre --disable-mpls --disable-targetbased --disable-ppm --enable-perfprofiling --enable-linux-smp-stats --disable-inline-init-failopen --enable-pthread --disable-debug --disable-debug-msgs --disable-corefiles --enable-dlclose --disable-active-response --disable-normalizer --disable-reload-error-restart --disable-react --disable-flexresp3 --enable-paf --disable-large-pcap --disable-ipv6 --enable-reload --disable-build-dynamic-examples --disable-profile --disable-ppm-test --disable-intel-soft-cpm --disable-static-daq --disable-rzb-saac
>
> Error compiling:
> /bin/sh ../libtool --tag=CC   --mode=link i686-pc-linux-gnu-gcc  -g -O2 -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall  -lpcre -L/usr/lib -ldnet -o snort debug.o decode.o encode.o active.o log.o mstring.o parser.o profiler.o plugbase.o snort.o  strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o detection_filter.o detection_util.o rate_filter.o obfuscation.o sfdaq.o idle_processing.o output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a dynamic-output/plugins/liboutput.a preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Stream5/libstream5.a sfutil/libsfutil.a control/libsfcontrol.a -lz -ldnet -lpcre -lpcap -lnsl -luuid -lm -lm  -ldl -ldaq -lz -lpthread -lpthread
> libtool: link: i686-pc-linux-gnu-gcc -g -O2 -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall -o snort debug.o decode.o encode.o active.o log.o mstring.o parser.o profiler.o plugbase.o snort.o strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o detection_filter.o detection_util.o rate_filter.o obfuscation.o sfdaq.o idle_processing.o  -L/usr/lib output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a dynamic-output/plugins/liboutput.a preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Stream5/libstream5.a sfutil/libsfutil.a control/libsfcontrol.a -ldnet -lpcre -lpcap -lnsl -luuid -lm /usr/lib/libdaq.so -ldl -lz -lpthread
> dynamic-plugins/libdynamic.a(sf_dynamic_plugins.o): In function `DynamicSendBlockResponseMsg':
> /home/knight/Desktop/tempview/snort-2.9.3/src/dynamic-plugins/sf_dynamic_plugins.c:1559: undefined reference to `Active_SendData'
> dynamic-plugins/libdynamic.a(sf_dynamic_plugins.o): In function `DynamicActiveSetEnabled':
> /home/knight/Desktop/tempview/snort-2.9.3/src/dynamic-plugins/sf_dynamic_plugins.c:1452: undefined reference to `Active_SetEnabled'
> collect2: ld returned 1 exit status
> make[3]: *** [snort] Error 1
> make[3]: Leaving directory `/home/knight/Desktop/tempview/snort-2.9.3/src'
> make[2]: *** [all-recursive] Error 1
> make[2]: Leaving directory `/home/knight/Desktop/tempview/snort-2.9.3/src'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/home/knight/Desktop/tempview/snort-2.9.3'
> make: *** [all] Error 2
>
> So, as i asked in my previous email: Any news about a patch to fix this issue? Or an estimation on how long will it take or the snort version the patch will be part of?
>
> Thank you for your time.
>
>
> On 06/29/12 11:25, Valentin Avram wrote:
>> Hello.
>>
>> Any news about a patch to fix this issue? Or an estimation on how long
>> will it take or the snort version the patch will be part of?
>>
>> Thank you for your time.
>>
>> On 06/19/12 21:30, Russ Combs wrote:
>>> That's a bug.  Thanks for reporting it.
>>>
>>> On Tue, Jun 19, 2012 at 11:41 AM, Valentin AVRAM
>>> <valentin.avram at ...3295... <mailto:valentin.avram at ...3295...>> wrote:
>>>
>>>     Hello.
>>>
>>>     While trying to compile snort 2.9.2.3 to be used as a
>>>     sensor-only, I tried to disable all unnecessary features of it
>>>     while keeping only the basic functionalities.
>>>
>>>     I'm running Gentoo Linux so I'm using the USE-flags made
>>>     available by the distro's ebuild in order to select the features
>>>     I need and drop those which I don't require.
>>>
>>>     The configure options the ebuild detects from my USE-flags are:
>>>
>>>     ./configure --prefix=/usr --build=i686-pc-linux-gnu --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --enable-shared --disable-static --disable-so-with-static-lib --enable-dynamicplugin --enable-zlib --disable-gre --disable-mpls --disable-targetbased --enable-decoder-preprocessor-rules --disable-ppm --enable-perfprofiling --enable-linux-smp-stats --disable-inline-init-failopen --enable-pthread --disable-debug --disable-debug-msgs --disable-corefiles --enable-dlclose --disable-active-response --disable-normalizer --disable-reload-error-restart --disable-react --disable-flexresp3 --enable-paf --disable-large-pcap --disable-aruba --without-mysql --without-odbc --without-postgresql --enable-ipv6 --enable-reload --disable-prelude --disable-build-dynamic-examples --disable-profile --disable-ppm-test --disable-intel-soft-cpm --disable-static-daq --dis
>>>     ab
>>>     le-rzb-saac --without-oracle
>>>
>>>     As seen, I decided to disable active-response since it is a basic
>>>     sensor, not used in inline mode.
>>>
>>>     The configure is successful. However, when running make, the
>>>     compilation fails with the following error:
>>>
>>>     /bin/sh ../libtool --tag=CC   --mode=link i686-pc-linux-gnu-gcc  -O2 -march=i686 -pipe -fomit-frame-pointer -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall  -Wl,-O1 -Wl,--as-needed -L/usr/lib -lpcre -L/usr/lib -ldnet -o snort debug.o decode.o encode.o active.o log.o mstring.o parser.o profiler.o plugbase.o snort.o  strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o detection_filter.o detection_util.o rate_filter.o obfuscation.o sfdaq.o idle_processing.o output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Stream5/libstream5.a sfutil/libsfutil.a control/libsfcontrol.a -lz -ldnet -lpcre -lpcap -lnsl -luuid -lm -lm  -ldl -
>>>     ld
>>>     aq -lz -lpthread -lpthread
>>>     libtool: link: i686-pc-linux-gnu-gcc -O2 -march=i686 -pipe -fomit-frame-pointer -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall -Wl,-O1 -o snort debug.o decode.o encode.o active.o log.o mstring.o parser.o profiler.o plugbase.o snort.o strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o detection_filter.o detection_util.o rate_filter.o obfuscation.o sfdaq.o idle_processing.o  -Wl,--as-needed -L/usr/lib output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Stream5/libstream5.a sfutil/libsfutil.a control/libsfcontrol.a /usr/lib/libdnet.so -lpcre -lpcap -lnsl -luuid -lm /usr/lib/libdaq.so -ldl -lz -lpthread
>>>     dynamic-plugins/libdynamic.a(sf_dynamic_plugins.o): In function `DynamicSendBlockResponseMsg':
>>>     sf_dynamic_plugins.c:(.text+0x934): undefined reference to `Active_SendData'
>>>     dynamic-plugins/libdynamic.a(sf_dynamic_plugins.o): In function `DynamicActiveSetEnabled':
>>>     sf_dynamic_plugins.c:(.text+0xa17): undefined reference to `Active_SetEnabled'
>>>     collect2: ld returned 1 exit status
>>>
>>>     My question now is the following:
>>>     Am I using a bad combination of flags? Why does dynamic_plugins need active-response which I explicitly disabled? And if the flag combination is wrong, why did the configure let me use it?
>>>
>>>     (for instance, the Gentoo ebuild does not allow me to disable the "dynamic_plugins" USE-flag since I have enabled the "zlib" USE-flag which allows for analysis of compressed HTTP connections)
>>>
>>>     If the combination of flags are right, then it's a bug in the source code.
>>>
>>>
>>>     I have submitted Gentoo bug #421775 (https://bugs.gentoo.org/show_bug.cgi?id=421775  ) and also attached there a patch which allows the two functions (Active_SetEnabled and Active_SendData) to be visible and just do nothing if active-response is disabled.
>>>
>>>
>>>     However, since it's the first time I'm looking at Snort source code I'm not entirely sure the two Active_ functions should just do nothing, that is I'm not sure that the caller functions expect changes in the data they send to the Active_ functions, so that patch only allows the code to compile, but that may break functionality.
>>>
>>>
>>>     Please have a look at this issue and tell me if I'm using the wrong flag combination, or there is a bug in the code or if the patch should produce a working snort binary.
>>>
>>>     Thank you for your time.
>>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>





More information about the Snort-devel mailing list