[Snort-users] (no subject)

Zultan zultan at ...13388...
Thu Apr 12 21:48:34 EDT 2007


Loading pcre 7 was no help.  Then discovered it was an ldconfig problem.

RedHat EL 3 has pcre 3.9 in /lib, and even though I built Snort against a newer version of pcre in /usr/local/lib, like this...

./configure --with-libpcap-includes=/usr/local/include --with-libpcap-libraries=/usr/local/lib 
--with-libpcre-includes=/usr/local/include --with-libpcre-libraries=/usr/local/lib

It was apparently still loading libpcre from /lib, not /usr/local/lib.

Before...

ldd /usr/local/bin/snort
         libpcre.so.0 => /lib/libpcre.so.0 (0x004f6000)
         libm.so.6 => /lib/tls/libm.so.6 (0x00e6a000)
         libnsl.so.1 => /lib/libnsl.so.1 (0x007d9000)
         libc.so.6 => /lib/tls/libc.so.6 (0x00111000)
         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x006c1000)

After putting /usr/local/bin on the first line in /etc/ld.so.conf and running ldconfig.  Snort looks in /usr/local/lib.

ldd /usr/local/bin/snort
         libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x00549000)
         libm.so.6 => /lib/tls/libm.so.6 (0x00c7e000)
         libnsl.so.1 => /lib/libnsl.so.1 (0x00b35000)
         libc.so.6 => /lib/tls/libc.so.6 (0x00df2000)
         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x009c2000)

Now Snort loads the new VRT rules.

But I wonder what I've broken in the meantime by having /usr/local/lib listed first in ld.so.conf?

Is there a unique LIBRARY_PATH variable for Snort, for him to use /usr/local/lib?

Z


> ----- Original Message -----
> From: "Matthew Watchinski" <mwatchinski at ...1935...>
> To: Zultan <zultan at ...13388...>
> Subject: Re: [Snort-users] (no subject)
> Date: Thu, 12 Apr 2007 19:24:21 -0400
> 
> 
> Can you send in the following.
> 
> The output from "pcre-config --version"
> What version of snort your running
> Did you compile snort from source?
> What OS are you on.
> The sid and rev of the rule on line 661,664,701
> Did you compile pcre from source?
> 
> We've had a couple emails on this and it looks like some platforms have
> a really old / broken libpcre on them that doesn't support named captures.
> 
> Something you can try is downloading the source packages for pcre from
> www.pcre.org and building and installing them.  Then rebuilding snort
> 
> I've tested 6.5,6.6,7.0 and they all work when built from source.
> 
> Cheers,
> -matt
> 
> Zultan wrote:
> > When running #snort -Tc /etc/snort/snort.cong on the latest VRT rules 
> > update (2007-04-10), prce complains.  Here are the first 3 that fail.  
> > There are many others that fails in web-client.rules.  My pcre version is 
> > 6.6
> >
> >
> > ERROR: /etc/snort/web-client.rules(661) : pcre compile of 
> > "1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)" failed at offset 15 : unrecognized character after 
> > (?
> > Fatal Error, Quitting..
> >
> > ERROR: /etc/snort/web-client.rules(664) : pcre compile of 
> > "1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)" failed at offset 15 : unrecognized character after 
> > (?
> > Fatal Error, Quitting..
> >
> > ERROR: /etc/snort/web-client.rules(701) : pcre compile of 
> > "1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)" failed at offset 15 : unrecognized character after 
> > (?
> > Fatal Error, Quitting..
> >
> >
> > Z
> >
> > =
> > Search for products and services at: http://search.mail.com
> >
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share your
> > opinions on IT & business topics through brief surveys-and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

>


=





More information about the Snort-users mailing list