[Snort-devel] Possible bug in compiling snort 2.9.2.3

Valentin AVRAM valentin.avram at ...3295...
Tue Jun 19 11:41:13 EDT 2012


Hello.

While trying to compile snort 2.9.2.3 to be used as a sensor-only, I tried to disable all unnecessary features of it while keeping only the basic functionalities.

I'm running Gentoo Linux so I'm using the USE-flags made available by the distro's ebuild in order to select the features I need and drop those which I don't require.

The configure options the ebuild detects from my USE-flags are:


./configure --prefix=/usr --build=i686-pc-linux-gnu --host=i686-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --enable-shared --disable-static --disable-so-with-static-lib --enable-dynamicplugin --enable-zlib --disable-gre --disable-mpls --disable-targetbased --enable-decoder-preprocessor-rules --disable-ppm --enable-perfprofiling --enable-linux-smp-stats --disable-inline-init-failopen --enable-pthread --disable-debug --disable-debug-msgs --disable-corefiles --enable-dlclose --disable-active-response --disable-normalizer --disable-reload-error-restart --disable-react --disable-flexresp3 --enable-paf --disable-large-pcap --disable-aruba --without-mysql --without-odbc --without-postgresql --enable-ipv6 --enable-reload --disable-prelude --disable-build-dynamic-examples --disable-profile --disable-ppm-test --disable-intel-soft-cpm --disable-static-daq --disable-rzb-saac --without-oracle

As seen, I decided to disable active-response since it is a basic sensor, not used in inline mode.

The configure is successful. However, when running make, the compilation fails with the following error:

/bin/sh ../libtool --tag=CC   --mode=link i686-pc-linux-gnu-gcc  -O2 -march=i686 -pipe -fomit-frame-pointer -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall  -Wl,-O1 -Wl,--as-needed -L/usr/lib -lpcre -L/usr/lib -ldnet -o snort debug.o decode.o encode.o active.o log.o mstring.o parser.o profiler.o plugbase.o snort.o  strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o detection_filter.o detection_util.o rate_filter.o obfuscation.o sfdaq.o idle_processing.o output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Stream5/libstream5.a sfutil/libsfutil.a control/libsfcontrol.a -lz -ldnet -lpcre -lpcap -lnsl -luuid -lm -lm  -ldl -ldaq -lz -lpthread -lpthread
libtool: link: i686-pc-linux-gnu-gcc -O2 -march=i686 -pipe -fomit-frame-pointer -DSF_VISIBILITY -fvisibility=hidden -fno-strict-aliasing -Wall -Wl,-O1 -o snort debug.o decode.o encode.o active.o log.o mstring.o parser.o profiler.o plugbase.o snort.o strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o event_queue.o ppm.o log_text.o detection_filter.o detection_util.o rate_filter.o obfuscation.o sfdaq.o idle_processing.o  -Wl,--as-needed -L/usr/lib output-plugins/libspo.a detection-plugins/libspd.a dynamic-plugins/libdynamic.a preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a preprocessors/HttpInspect/libhttp_inspect.a preprocessors/Stream5/libstream5.a sfutil/libsfutil.a control/libsfcontrol.a /usr/lib/libdnet.so -lpcre -lpcap -lnsl -luuid -lm /usr/lib/libdaq.so -ldl -lz -lpthread
dynamic-plugins/libdynamic.a(sf_dynamic_plugins.o): In function `DynamicSendBlockResponseMsg':
sf_dynamic_plugins.c:(.text+0x934): undefined reference to `Active_SendData'
dynamic-plugins/libdynamic.a(sf_dynamic_plugins.o): In function `DynamicActiveSetEnabled':
sf_dynamic_plugins.c:(.text+0xa17): undefined reference to `Active_SetEnabled'
collect2: ld returned 1 exit status

My question now is the following:
Am I using a bad combination of flags? Why does dynamic_plugins need active-response which I explicitly disabled? And if the flag combination is wrong, why did the configure let me use it?
(for instance, the Gentoo ebuild does not allow me to disable the "dynamic_plugins" USE-flag since I have enabled the "zlib" USE-flag which allows for analysis of compressed HTTP connections)

If the combination of flags are right, then it's a bug in the source code.

I have submitted Gentoo bug #421775 ( https://bugs.gentoo.org/show_bug.cgi?id=421775 ) and also attached there a patch which allows the two functions (Active_SetEnabled and Active_SendData) to be visible and just do nothing if active-response is disabled.

However, since it's the first time I'm looking at Snort source code I'm not entirely sure the two Active_ functions should just do nothing, that is I'm not sure that the caller functions expect changes in the data they send to the Active_ functions, so that patch only allows the code to compile, but that may break functionality.

Please have a look at this issue and tell me if I'm using the wrong flag combination, or there is a bug in the code or if the patch should produce a working snort binary.

Thank you for your time.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120619/46d3c72e/attachment.html>


More information about the Snort-devel mailing list