[Snort-devel] RHEL 6 with Snort 2.9.5.6-1 and PCRE 8.33 install issue (UNCLASSIFIED)

Wright, Jonathon S CTR (US) jonathon.s.wright.ctr at ...3464...
Fri Dec 27 18:19:26 EST 2013


Classification: UNCLASSIFIED
Caveats: NONE

Based on the ./configure --help on both the snort and pcre I think I need to
do this simple step:

1. PCRE 8.34 - Build and put it to a specific directory 
mkdir /usr/local/bin/snort/pcre834
./configure --prefix=/usr/local/bin/snort/pcre834 && make && make install


2. Snort 2.9.5.6-1 - Build and specify the pcre 8.34 libraries to use 
./configure --with-libpcre-libraries=/usr/local/bin/snort/pcre834 ...(etc.,
really long configure options) && make && make install


Hows this look? Gonna do some backups, and some preparations, and then try
this out. 



-----Original Message-----
From: Hazen Valliant-Saunders [mailto:hazenvs at ...2499...] 
Sent: Friday, December 27, 2013 11:46 AM
To: Wright, Jonathon S CTR (US)
Subject: RE: [Snort-devel] RHEL 6 with Snort 2.9.5.6-1 and PCRE 8.33 install
issue (UNCLASSIFIED)

.config --with-pcre=/new/pcre/path I think? 

Its been a while since I have done this so best to read the man for the
details. 

Usually if you run ./config --help the proper syntax may be displayed. 

On Dec 27, 2013 4:40 PM, "Wright, Jonathon S CTR (US)"
<jonathon.s.wright.ctr at ...3464...> wrote:


	Classification: UNCLASSIFIED
	Caveats: NONE
	
	Thanks Hazen,
	
	It does appear that snort did pick up the old library path. I'll do
some
	research for the .config 'linker' (ldconfig?) and see what I can
find.
	Hopefully its something simple. I think I just need to re
./configure, make,
	make install pcre and snort to point to same paths. Just need to
figure out
	the 'how' part now. =)
	
	
	JW
	
	
	-----Original Message-----
	From: Hazen Valliant-Saunders [mailto:hazenvs at ...2499...]
	Sent: Friday, December 27, 2013 11:09 AM
	To: Wright, Jonathon S CTR (US)
	Subject: Re: [Snort-devel] RHEL 6 with Snort 2.9.5.6-1 and PCRE 8.33
install
	issue (UNCLASSIFIED)
	
	Sounds like you may have to run the linker after the pcre install.
	(Ldconfig) or reboot the install before installing snort also check
your
	config arguments. (You .config file may have picked up the old
libaray path)
	
	Regards,
	Hazen
	
	On Dec 27, 2013 3:28 PM, "Wright, Jonathon S CTR (US)"
	<jonathon.s.wright.ctr at ...3464...> wrote:
	
	
	        Classification: UNCLASSIFIED
	        Caveats: NONE
	
	        Hey List,
	
	        Here is the goal, I'm trying to install snort 2.9.5.6-1 on a
RHEL 6
	with
	        pcre 8.33 (8.34 as of the 15th of this month).
	        Below are the details of the process I am doing and issues
I'm
	running into.
	        At the end, I listed 5 questions I need help with.
	
	        I found one installation guide for RHEL 6 / snort 2.9.x on
how to do
	this
	        and followed it for assistance:
	        http://www.procyonlabs.com/guides/rhel/snort_db_by2/
	
	
	        After completing the guide (minor modifications, but the
theory of
	it was
	        followed), I did a simple version check of snort and its
	dependencies with a
	        "snort -V".
	        Snort returned this:
	
	        # snort -V
	
	           ,,_     -*> Snort! <*-
	          o"  )~   Version 2.9.5.6 GRE (Build 208)
	           ''''    By Martin Roesch & The Snort Team:
	        http://www.snort.org/snort/snort-team
	                   Copyright (C) 1998-2013 Sourcefire, Inc., et al.
	                   Using libpcap version 1.4.0
	                   Using PCRE version: 7.8 2008-09-05
	                   Using ZLIB version: 1.2.3
	
	        What caught my attention was the PCRE version, which is very
old and
	has a
	        large number of release fixes / enhancements since 7.8, see
here:
	        http://www.pcre.org/changelog.txt
	
	
	        On FreeBSD (which we are migrating from), the output of the
"snort
	-V" is
	        the same, except PCRE version is correct showing this:
	        Using PCRE version: 8.33 2013-05-28
	
	        So I figured I'd download the 8.34 version from pcre and
build from
	source
	        and rebuild snort. Snort still reflected the old pcre
version.
	        I talked to Red Hat, they indicated that they baselined pcre
at 7.8
	for
	        RHEL6 OS and did not recommend / support it being
overwritten (due
	to OS
	        binary dependencies such as grep).
	
	        So here are my 5 questions:
	
	        1. Is the guide I followed (above url) the best way to build
snort
	or is
	        there a better guide? (has anyone else done RHEL 6 / snort
2.9.5.6 /
	pcre
	        8.33)
	        2. Why is snort not available for RHEL 6 as an rpm or
provided in
	any RHEL
	        repository? This is going to be a maintenance nightmare if
	everything has to
	        be built from source everytime a new version is released (we
have
	large
	        number of servers).
	        3. What is the impact of not having pcre 8.34? (40% of our
rules use
	pcre
	        expressions)
	        4. How do I compile / force snort to use the new pcre
libraries if
	#3 above
	        is severe?
	        5. Can I have to leave 2 versions of pcre (one for OS and
one for
	Snort) on
	        the OS? If so how do I repeat #4 above when a new version of
snort /
	pcre
	        comes out?
	
	        If this should be on a different list also, let me know.
	
	        Any insight is appreciated.
	
	        JW
	
	
	
	
	
	        Classification: UNCLASSIFIED
	        Caveats: NONE
	
	
	
	
	
----------------------------------------------------------------------------
	--
	        Rapidly troubleshoot problems before they affect your
business. Most
	IT
	        organizations don't have a clear picture of how application
	performance
	        affects their revenue. With AppDynamics, you get 100%
visibility
	into your
	        Java,.NET, & PHP application. Start your 15-day FREE TRIAL
of
	AppDynamics Pro!
	
	
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
	        _______________________________________________
	        Snort-devel mailing list
	        Snort-devel at lists.sourceforge.net
	        https://lists.sourceforge.net/lists/listinfo/snort-devel
	        Archive:
	
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
	
	        Please visit http://blog.snort.org for the latest news about
Snort!
	
	
	
	Classification: UNCLASSIFIED
	Caveats: NONE
	
	
	


Classification: UNCLASSIFIED
Caveats: NONE


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5649 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131227/93f897a2/attachment.bin>


More information about the Snort-devel mailing list