[Snort-users] Phil Wood Libpcap Installation Problems

Darryl Taylor darryl.taylor at ...1935...
Thu Feb 1 13:13:13 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just helped someone else with this problem. CentOS doesn't install bison
by default. If you look at your configure output for libpcap you will
note that it uses lex/yacc instead of flex/bison. Ensure flex and bison
are installed and you should be good to go. Let me know if that doesn't
work and I will work on it.


Darryl Taylor
Security Engineer
SOURCEfire

Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
Key: http://demo.sourcefire.com/dtaylor.pgp.key




Gentoo-Wally wrote:
> I'm coming a little late to the party, but I just had a similar
> problem. I was trying to compile snort with a libpcap that uses pfring
> as the ring buffer (similar to Phil Wood's stuff) and I am also using
> CentOS 4 with a slightly modified 2.6.9-42.0.3.EL kernel (same as
> Jesse). This is what I found...
> 
> libpcap stuff from /usr/local/src/libpcap-0.9.4...
> 
> [root at ...274... libpcap-0.9.4]# ./configure --enable-ipv6
> [root at ...274... libpcap-0.9.4]# make
> [root at ...274... libpcap-0.9.4]# gcc -shared -Wl,-soname
> -Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc
> [root at ...274... libpcap-0.9.4]# make install && cp libpcap.so.0.9.4
> /usr/local/lib
> [root at ...274... libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
> /usr/local/lib/libpcap.so
> [root at ...274... libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
> /usr/local/lib/libpcap.so.0
> [root at ...274... libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
> /usr/local/lib/libpcap.so.0.9
> 
> Giving me the following setup...
> 
> [root at ...274... libpcap-0.9.4]# ls -l /usr/local/lib/
> total 372
> -rw-r--r--  1 root root 186300 Jan 31 14:21 libpcap.a
> lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so ->
> /usr/local/lib/libpcap.so.0.9.4
> lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so.0 ->
> /usr/local/lib/libpcap.so.0.9.4
> lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so.0.9 ->
> /usr/local/lib/libpcap.so.0.9.4
> -rwxr-xr-x  1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4
> 
> [root at ...274... libpcap-0.9.4]# echo "/usr/local/lib" >> /etc/ld.so.conf
> [root at ...274... libpcap-0.9.4]# ldconfig -v |grep pcap
>         libpcap.so.0.9.4 -> libpcap.so.0.9.4
>         libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
> 
> Just for reference...
> 
> [root at ...274... libpcap-0.9.4]# ls -l /usr/lib/libpcap*
> lrwxrwxrwx  1 root root     23 Jan 29 16:34 /usr/lib/libpcap-nessus.so
> -> libpcap-nessus.so.2.2.5
> lrwxrwxrwx  1 root root     23 Jan 29 16:34
> /usr/lib/libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
> -rwxr-xr-x  1 root root 175953 Jan  4 11:34 /usr/lib/libpcap-nessus.so.2.2.5
> 
> Now when I try to compile snort from /usr/local/src/snort-2.6.0...
> 
> [root at ...274... snort-2.6.0]# ./configure --enable-dynamicplugin
> --enable-timestats --enable-perfprofiling --enable-linux-smp-stats
> --with-libpcap-includes=/usr/local/include
> --with-libpcap-libraries=/usr/local/lib
> 
> Like Jesse's case, it complains...
> 
> [...]
> checking for strerror... yes
> checking for __FUNCTION__... yes
> checking for floor in -lm... yes
> checking for pcap_datalink in -lpcap... no
> 
>    ERROR!  Libpcap library/headers not found, go get it from
>    http://www.tcpdump.org
>    or use the --with-libpcap-* options, if you have it installed
>    in unusual place
> 
> What makes this really weird is that if I delete just the symlinks for
> the shared lib's...
> 
> [root at ...274... snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so
> [root at ...274... snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0
> [root at ...274... snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0.9
> [root at ...274... snort-2.6.0]# ls -l /usr/local/lib/
> total 372
> -rw-r--r--  1 root root 186300 Jan 31 14:21 libpcap.a
> -rwxr-xr-x  1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4
> [root at ...274... snort-2.6.0]# ldconfig -v |grep pcap
>         libpcap.so.0.9.4 -> libpcap.so.0.9.4
>         libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
> 
> And then rerun the exact same ./configure for snort that I ran before
> it configures and compiles without complaint.
> 
> I thought I'd take this a step further. I ran the _exact_ same test
> with a stock libpcap-0.9.4 downloaded from www.tcpdump.org _without_
> any pfring stuff and even with the symlinks it configures and compiles
> without complaint. Then I removed that and ran the _exact_ same test
> with the version of libpcap I pulled with 'yum install libpcap' which
> also sets up the symlinks. Only difference is it uses /usr/lib instead
> of /usr/local/lib. It also configures and compiles without complaint.
> 
> Sounds like there might be a problem with the function in configure
> that checks for pcap_datalink in the pcap library when dealing with
> nonstandard/patched libpcaps that use shared libraries and symlinks.
> Or maybe the culprit is CentOS 4 since we are both using that.
> 
> I have no idea how AC_CHECK_LIB in configure actually performs the
> check, but I do know that pcap_datalink does exist in a pfring enabled
> libpcap...
> 
> [root at ...274... snort-2.6.0]# grep pcap_datalink /usr/local/lib/libpcap.a
> Binary file /usr/local/lib/libpcap.a matches
> [root at ...274... snort-2.6.0]# grep pcap_datalink
> /usr/local/lib/libpcap.so.0.9.4
> Binary file /usr/local/lib/libpcap.so.0.9.4 matches
> 
> Hope this helps,
> Wally
> 
> 
> 
> 
> On 1/24/07, Darryl Taylor <darryl.taylor at ...1935...> wrote:
> I just did a complete install as follows on my Dual Opteron running
> Gentoo 2.6.17-r8:
> 
> libpcap (Phil Woods)
> ./configure --enable-shared
> make
> sudo make install
> 
> (ensure /usr/local/lib is in ld.so.conf)
> sudo ldconfig
> 
> 
> 
> snort (with the options I use)
> ./configure --with-libpcap-library=/usr/local/lib --enable-debug \
> --enable-perfprofiling --enable-dynamicplugin
> make
> sudo make install
> 
> ldd /usr/local/bin/snort
>         libpcre.so.0 => /usr/lib/libpcre.so.0 (0x00002b3e9220e000)
>         libpcap-0.9.3.so => /usr/local/lib/libpcap-0.9.3.so
> (0x00002b3e9232a000)
>         libm.so.6 => /lib/libm.so.6 (0x00002b3e92459000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x00002b3e925af000)
>         libdl.so.2 => /lib/libdl.so.2 (0x00002b3e926c5000)
>         libc.so.6 => /lib/libc.so.6 (0x00002b3e927c9000)
>         /lib64/ld-linux-x86-64.so.2 (0x00002b3e920f2000)
> 
> After this I had a working snort-2.6.1.2.
> 
> 
> Darryl Taylor
> 
> 
> IT Security wrote:
>>>> I recompiled libpcap to use shared libraries and now have the following
>>>> in /usr/lib:
>>>>
>>>> lrwxrwxrwx  1 root root     16 Jan 23 08:56 /usr/lib/libpcap-0.8.3.so ->
>>>> libpcap-0.9.3.so
>>>> -rwxr-xr-x  1 root root 375850 Jan 23 09:00 /usr/lib/libpcap-0.9.3.so
>>>> -rw-r--r--  1 root root 483168 Jan 23 09:00 /usr/lib/libpcap.a
>>>> -rwxr-xr-x  1 root root    792 Jan 23 09:00 /usr/lib/libpcap.la
>>>> lrwxrwxrwx  1 root root     16 Jan 23 09:00 /usr/lib/libpcap.so ->
>>>> libpcap-0.9.3.so
>>>> lrwxrwxrwx  1 root root     16 Jan 23 09:02 /usr/lib/libpcap.so.0 ->
>>>> libpcap-0.9.3.so
>>>> lrwxrwxrwx  1 root root     16 Jan 23 09:03 /usr/lib/libpcap.so.0.8 ->
>>>> libpcap-0.9.3.so
>>>> lrwxrwxrwx  1 root root     16 Jan 23 09:03 /usr/lib/libpcap.so.0.8.3 ->
>>>> libpcap-0.9.3.so
>>>>
>>>> I added the symlinks for libpcap 0.8.3 with hopes that it would help,
>>>> but it didn't.
>>>>
>>>> I have run ldconfig since reinstalling libpcap.
>>>>
>>>> Attempting to recompile snort and tcpdump both end with the result of:
>>>>
>>>> checking for strerror... yes
>>>> checking for __FUNCTION__... yes
>>>> checking for floor in -lm... yes
>>>> checking for pcap_datalink in -lpcap... no
>>>>
>>>>    ERROR!  Libpcap library/headers not found, go get it from
>>>>    http://www.tcpdump.org
>>>>    or use the --with-libpcap-* options, if you have it installed
>>>>    in unusual place
>>>>
>>>> This makes me think that I'm missing something accosiated with libpcap.
>>>>
>>>> Any more ideas?
>>>>
>>>> Thanks in advance.
>>>>
>>>> - Jesse
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: snort-users-bounces at lists.sourceforge.net
>>>> [mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of IT
>>>> Security
>>>> Sent: Tuesday, January 23, 2007 8:11 AM
>>>> To: Darryl Taylor
>>>> Cc: snort-users at lists.sourceforge.net
>>>> Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems
>>>>
>>>> Darryl -
>>>>
>>>> Tried with no luck.  Still get the same error.
>>>>
>>>> ./configure --with-libpcap-library=/usr/local/lib
>>>>
>>>> Thanks for the assistance.
>>>>
>>>> - Jesse
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Darryl Taylor [mailto:darryl.taylor at ...1935...]
>>>> Sent: Tuesday, January 23, 2007 8:00 AM
>>>> To: darryl.taylor at ...1935...
>>>> Cc: IT Security; snort-users-bounces at lists.sourceforge.net;
>>>> snort-users at lists.sourceforge.net
>>>> Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems
>>>>
>>>> Sorry bout that. Needed a little more sleep. It should be
>>>> --with-libpcap-library=[your path]
>>>>
>>>>
>>>>
>>>> Darryl Taylor
>>>> Security Engineer
>>>> SOURCEfire
>>>> Office: 404-474-8454
>>>> Cell:   404-783-2064
>>>> eFax:   404-521-4309
>>>>
>>>> Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
>>>> Key: http://demo.sourcefire.com/dtaylor.pgp.key
>>>>
>>>>
>>>>
>>>>
>>>> darryl.taylor at ...1935... wrote:
>>>>> Try ./configure --with-libpcap=/usr/local when compiling snort. If it
>>>> still fails then the library was probably compiled statically. If that
>>>> is the case, post back and I will tell you how to make it a shared
>>>> object. I think I had this problem a few years ago.
>>>>> Sent from my Verizon Wireless BlackBerry
>>>>> -----Original Message-----
>>>>> From: "IT Security" <ITSEC at ...14044...>
>>>>> Date: Mon, 22 Jan 2007 17:46:59
>>>>> To:<snort-users at lists.sourceforge.net>
>>>>> Subject: [Snort-users] Phil Wood Libpcap Installation Problems
>>>>> I'm trying to get Phil Wood's modified libpcap working on my Snort
>>>>> 2.6.1 sensor, but have run into some difficulties and hoping that
>>>>> someone out there can help.
>>>>> I've downloaded and extracted libpcap-0.9.20060417.tar.gz.  I then
>>>> run:
>>>>>    ./configure
>>>>>    make
>>>>>    make install
>>>>> I then downloaded and extracted snort-2.6.1.1.tar.gz.  I then run:
>>>>>    ./configure
>>>>>    make
>>>>> That's where it blows up.  Here is the error:
>>>>> <snip>
>>>>> checking for pcap_datalink in -lpcap... no
>>>>>    ERROR!  Libpcap library/headers not found, go get it from
>>>>>    http://www.tcpdump.org
>>>>>    or use the --with-libpcap-* options, if you have it installed
>>>>>    in unusual place
>>>>> </snip>
>>>>> Any ideas why the headers would be missing?  Header files are
>>>>> identified with the .h extension correct?  Where are these supposed to
>>>>> reside on the system?
>>>>> I'm running CentOS 4 with 2.6.9-42.0.3.EL kernel.
>>>>> Thanks in advance.
>>>>> - Jesse
>>>>> ----------------------------------------------------------------------
>>>>> --- Take Surveys. Earn Cash. Influence the Future of IT Join
>>>>> SourceForge.net's Techsay panel and you'll get the chance to share
>>>>> your opinions on IT & business topics through brief surveys - and earn
>>>>> cash
>>>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
>>>>> DEV _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>>> ----------------------------------------------------------------------
>>>>> --- Take Surveys. Earn Cash. Influence the Future of IT Join
>>>>> SourceForge.net's Techsay panel and you'll get the chance to share
>>>>> your opinions on IT & business topics through brief surveys - and earn
>>>>> cash
>>>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
>>>>> DEV _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> ------------------------------------------------------------------------
> -
> Take Surveys. Earn Cash. Influence the Future of IT Join
> SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
> V
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
- -------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>

> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFwi254lpqfBbyaLYRAkMpAJwLwmChbLlb90feIpUMqFD6nm2PeQCfSbdd
IkeNrZb9zkB8MFjs3ihG6zA=
=X5KN
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list