waldo kitty wkitty42 at ...14940...
Mon Oct 4 22:52:13 EDT 2010

On 10/4/2010 21:49, Russ Combs wrote:
>      > * Snort no longer depends on libnet and uses libdnet instead.
>     yeah, that really means nothing to this poor code jockey other than yet another
>     lib to figure out how to install and get compiled in my environment... i can
>     only imaging what the corporate side maintainers are going to face... they have
>     basically the same things to deal with that i do... i just have the chance to be
>     a step or three ahead of them and make my releases as mods to the official
>     release of the total package...
> FWIW, libnet is obsolete and increasingly hard to find.  dnet makes things
> easier in that regard.

i don't know, because i've not gone looking, if our environment even uses 
libnet, TBH... we're using GCC 3.3.5 and glibc 2.3.2 if that means anything...

[time passes]

the only libnet i find anywhere in our basic source directories seems to be 
win32 related for some package(s) we use that support that environment... since 
we're a *nix based environment, that one doesn't do us any good...


>     AFAIK, we don't use DAQ in our setup... pcap seems to be what we use but i've
>     not dug into the code to determine that... our official releases do not use any
>     compile time options at all... then again, our FOSS stuff is aimed at those
>     machines that everyone is throwing away because they don't think they have any
>     use left in them... sheesh, we're pulling P4's out of the dumpsters these
>     days... with 1+Gig of RAM and "huge" HDs where we only need ~10G of HD space...
> With 2.9.0, you *must* use the DAQ.  By default, you will wind up using a pcap
> DAQ, but the DAQ is a separate package that must be installed.  This is new for
> 2.9.0.

ugh! when does the madness end? :lol: i'll have to see if i can hunt up the 
archive for that... hopefully it is available at

> Also, the NFQ and IPQ DAQs require libdnet, but so does Snort 2.9.0.

this begs the question of why DAQ wasn't included in the 2.9.0 archive so that 
one only need grab that one archive, untar it and DAQ be available in the 2.9.0 
source tree... it sure would make things a *lot* easier :?

this release really should be 3.something instead of 2.9 with changes like 
these... but all we can do it either keep trying to move forward or dump snort 
in the bitbucket and find something else :? that's not my call so all i can do 
is try to keep beating snort into submission in my environment... it may very 
well turn out that it gets dumped if we can't get 2.9.0 working and especially 
if the rules updates get EOLed and leave our users with no rules to use...

