[Snort-devel] RHEL 6 with Snort 2.9.5.6-1 and PCRE 8.33 install issue (UNCLASSIFIED)

Wright, Jonathon S CTR (US) jonathon.s.wright.ctr at ...3464...
Fri Dec 27 15:24:44 EST 2013


Classification: UNCLASSIFIED
Caveats: NONE

Hey List, 

Here is the goal, I'm trying to install snort 2.9.5.6-1 on a RHEL 6 with
pcre 8.33 (8.34 as of the 15th of this month). 
Below are the details of the process I am doing and issues I'm running into.
At the end, I listed 5 questions I need help with.

I found one installation guide for RHEL 6 / snort 2.9.x on how to do this
and followed it for assistance:
http://www.procyonlabs.com/guides/rhel/snort_db_by2/


After completing the guide (minor modifications, but the theory of it was
followed), I did a simple version check of snort and its dependencies with a
"snort -V". 
Snort returned this:

# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.5.6 GRE (Build 208)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

What caught my attention was the PCRE version, which is very old and has a
large number of release fixes / enhancements since 7.8, see here:
http://www.pcre.org/changelog.txt


On FreeBSD (which we are migrating from), the output of the "snort -V" is
the same, except PCRE version is correct showing this:
Using PCRE version: 8.33 2013-05-28

So I figured I'd download the 8.34 version from pcre and build from source
and rebuild snort. Snort still reflected the old pcre version. 
I talked to Red Hat, they indicated that they baselined pcre at 7.8 for
RHEL6 OS and did not recommend / support it being overwritten (due to OS
binary dependencies such as grep). 

So here are my 5 questions:

1. Is the guide I followed (above url) the best way to build snort or is
there a better guide? (has anyone else done RHEL 6 / snort 2.9.5.6 / pcre
8.33)
2. Why is snort not available for RHEL 6 as an rpm or provided in any RHEL
repository? This is going to be a maintenance nightmare if everything has to
be built from source everytime a new version is released (we have large
number of servers).
3. What is the impact of not having pcre 8.34? (40% of our rules use pcre
expressions)
4. How do I compile / force snort to use the new pcre libraries if #3 above
is severe?
5. Can I have to leave 2 versions of pcre (one for OS and one for Snort) on
the OS? If so how do I repeat #4 above when a new version of snort / pcre
comes out?

If this should be on a different list also, let me know. 

Any insight is appreciated.

JW 





Classification: UNCLASSIFIED
Caveats: NONE


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5649 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131227/e1a1359f/attachment.bin>


More information about the Snort-devel mailing list