[Snort-users] Problem to configure DAQ on SNORT

vpiserchia at ...11827... vpiserchia at ...11827...
Fri Sep 13 08:53:11 EDT 2013


Hello

the main problem here is that the libnetfilter_queue*.rpm packages are missing in the centos6 distro (see for example this [1])

so you have two options here:

- compile it by your self, but probably you have also to compile other libnetfilter modules
- or using a custom repository containing the needed packages

In the first case for example see [3] (search in the page)

In the second case here some repos from google:

- clearOS repository, for example see this [1]
- rebuilding the package from Fedora 14, see [2]
- rayen repo, here [4], the repo key is here [5]

[1] http://yaplej.blogspot.it/2013/02/centos-rhel-63-missing-libnetfilterqueue.html
[2] http://darkgate.net/blog/?p=1467
[3] https://code.google.com/p/kanet/wiki/Kanet_install_centos6_rhel6
[4] http://rnd.rajven.net/centos
[5] http://rnd.rajven.net/RPM-GPG-KEY-rajven.net

hope this help

regards
vito

On 09/13/2013 02:05 PM, Kelevra Slevin wrote:
> I downloaded and install this libs, but nothing. I'm still getting the message:
> 
> checking libipq.h usability... no
> checking libipq.h presence... no
> checking for libipq.h... no
> checking for linux/netfilter.h... yes
> checking for netinet/in.h... (cached) yes
> checking libnetfilter_queue/libnetfilter_queue.h usability... no
> checking libnetfilter_queue/libnetfilter_queue.h presence... no
> checking for libnetfilter_queue/libnetfilter_queue.h... no
> 
> But when I was installing ibnfnetlink-0.0.30-1.x86_64.rpm I got this message:
>         
>         sudo rpm -i libnfnetlink-0.0.30-1.x86_64.rpm 
> package libnfnetlink-1.0.0-1.el6.x86_64 (which is newer than libnfnetlink-0.0.30-1.x86_64) is already installed
> package libnfnetlink-1.0.0-1.el6.i686 (which is newer than libnfnetlink-0.0.30-1.x86_64) is already installed
> file /usr/lib64/libnfnetlink.so.0.2.0 from install of libnfnetlink-0.0.30-1.x86_64 conflicts with file from package libnfnetlink-1.0.0-1.el6.x86_64
> 
> And I think that the problem is in which lib the ./configure is using, because I already have libnfnetlink installed on lib64/.
> 
> In the configure file has this code:
> 
> if test "$enable_nfq_module" = yes; then
>     for ac_header in netinet/in.h libnetfilter_queue/libnetfilter_queue.h
> do :
>   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
> ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
> if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
>   cat >>confdefs.h <<_ACEOF
> #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
> _ACEOF
> 
> else
>   enable_nfq_module=no
> 
> but I don't know how to change it to redirect.
> 
> 
> On Fri, Sep 13, 2013 at 6:15 AM, Y M <snort at ...15979... <mailto:snort at ...15979...>> wrote:
> 
>     Have you tried compiling/using rpms (if available) of the following:
> 
>     libnetfilter_queue-devel
>     libnfnetlink
>     libnfnetlink-devel
> 
>     Looking at your output:
> 
> 
>     checking libipq.h usability... no
>     checking libipq.h presence... no
>     checking for libipq.h... no
>     checking for linux/netfilter.h... yes
>     checking for netinet/in.h... (cached) yes
>     checking libnetfilter_queue/libnetfilter_queue.h usability... no
>     checking libnetfilter_queue/libnetfilter_queue.h presence... no
>     checking for libnetfilter_queue/libnetfilter_queue.h... no
> 
>     Some google searching and got below rpms (never tested them myself, or if they are available):
> 
>     x86: http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15-1.i386.rpm
>     http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm
>     http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm
>     http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
> 
>     x86_64: http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm
>     http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm
>     http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm
>     http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
> 
>     Finally, Snort will work just fine alerting on "alert" rules while running inline and dropping packets with "drop" rules.
> 
>     YM
>     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>     From: Kelevra Slevin <mailto:kelevra19 at ...11827...>
>     Sent: 9/13/2013 4:51 AM
>     To: Safwat <mailto:safwat1242 at ...11827...>
>     Cc: snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
>     Subject: Re: [Snort-users] Problem to configure DAQ on SNORT
> 
>     I already search for a solution to this problem on centOS, but I barely found anything and when I found is another OS.
>     If someone knows a way to redirect to another lib, like libnetfilter_contrack, I would apreciate the help.
> 
>     One more thing, with this config Snort will work properly as an IDS?
> 
> 
>     On Thu, Sep 12, 2013 at 5:42 PM, Safwat <safwat1242 at ...11827... <mailto:safwat1242 at ...11827...>> wrote:
> 
>         We also have the same problem, and could not find solution ____
> 
>         __ __
> 
>         __ __
> 
>         __ __
> 
>         *From:*Kelevra Slevin [mailto:kelevra19 at ...11827... <mailto:kelevra19 at ...11827...>]
>         *Sent:* Thursday, September 12, 2013 4:37 PM
>         *To:* snort-users at lists.sourceforge.net <mailto:snort-users at lists.sourceforge.net>
>         *Subject:* [Snort-users] Problem to configure DAQ on SNORT____
> 
>         __ __
> 
>         I'm new using Snort and i'm having problem to compile DAQ with nfq module. At first I will use as IDS to get use with snort, but in future I would like to use snort as an ips on inline mode. I use cent os 6.____
> 
>         __ __
> 
>         After a google search I installed some recommend libs using this commands:____
> 
>         yum install libnfnetlink*____
> 
>         yum install libnetfilter_contrack*____
> 
>          ____
> 
>         The ./configure of daq:____
> 
>         checking for a BSD-compatible install... /usr/bin/install -c____
> 
>         checking whether build environment is sane... yes____
> 
>         checking for a thread-safe mkdir -p... /bin/mkdir -p____
> 
>         checking for gawk... gawk____
> 
>         checking whether make sets $(MAKE)... yes____
> 
>         checking for gcc... gcc____
> 
>         checking whether the C compiler works... yes____
> 
>         checking for C compiler default output file name... a.out____
> 
>         checking for suffix of executables... ____
> 
>         checking whether we are cross compiling... no____
> 
>         checking for suffix of object files... o____
> 
>         checking whether we are using the GNU C compiler... yes____
> 
>         checking whether gcc accepts -g... yes____
> 
>         checking for gcc option to accept ISO C89... none needed____
> 
>         checking for style of include used by make... GNU____
> 
>         checking dependency style of gcc... gcc3____
> 
>         checking build system type... x86_64-unknown-linux-gnu____
> 
>         checking host system type... x86_64-unknown-linux-gnu____
> 
>         checking how to print strings... printf____
> 
>         checking for a sed that does not truncate output... /bin/sed____
> 
>         checking for grep that handles long lines and -e... /bin/grep____
> 
>         checking for egrep... /bin/grep -E____
> 
>         checking for fgrep... /bin/grep -F____
> 
>         checking for ld used by gcc... /usr/bin/ld____
> 
>         checking if the linker (/usr/bin/ld) is GNU ld... yes____
> 
>         checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B____
> 
>         checking the name lister (/usr/bin/nm -B) interface... BSD nm____
> 
>         checking whether ln -s works... yes____
> 
>         checking the maximum length of command line arguments... 1966080____
> 
>         checking whether the shell understands some XSI constructs... yes____
> 
>         checking whether the shell understands "+="... yes____
> 
>         checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop____
> 
>         checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop____
> 
>         checking for /usr/bin/ld option to reload object files... -r____
> 
>         checking for objdump... objdump____
> 
>         checking how to recognize dependent libraries... pass_all____
> 
>         checking for dlltool... no____
> 
>         checking how to associate runtime and link libraries... printf %s\n____
> 
>         checking for ar... ar____
> 
>         checking for archiver @FILE support... @____
> 
>         checking for strip... strip____
> 
>         checking for ranlib... ranlib____
> 
>         checking command to parse /usr/bin/nm -B output from gcc object... ok____
> 
>         checking for sysroot... no____
> 
>         checking for mt... no____
> 
>         checking if : is a manifest tool... no____
> 
>         checking how to run the C preprocessor... gcc -E____
> 
>         checking for ANSI C header files... yes____
> 
>         checking for sys/types.h... yes____
> 
>         checking for sys/stat.h... yes____
> 
>         checking for stdlib.h... yes____
> 
>         checking for string.h... yes____
> 
>         checking for memory.h... yes____
> 
>         checking for strings.h... yes____
> 
>         checking for inttypes.h... yes____
> 
>         checking for stdint.h... yes____
> 
>         checking for unistd.h... yes____
> 
>         checking for dlfcn.h... yes____
> 
>         checking for objdir... .libs____
> 
>         checking if gcc supports -fno-rtti -fno-exceptions... no____
> 
>         checking for gcc option to produce PIC... -fPIC -DPIC____
> 
>         checking if gcc PIC flag -fPIC -DPIC works... yes____
> 
>         checking if gcc static flag -static works... no____
> 
>         checking if gcc supports -c -o file.o... yes____
> 
>         checking if gcc supports -c -o file.o... (cached) yes____
> 
>         checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes____
> 
>         checking whether -lc should be explicitly linked in... no____
> 
>         checking dynamic linker characteristics... GNU/Linux ld.so____
> 
>         checking how to hardcode library paths into programs... immediate____
> 
>         checking whether stripping libraries is possible... yes____
> 
>         checking if libtool supports shared libraries... yes____
> 
>         checking whether to build shared libraries... yes____
> 
>         checking whether to build static libraries... yes____
> 
>         checking for visibility support... yes____
> 
>         checking CFLAGS for gcc -Wall... -Wall____
> 
>         checking CFLAGS for gcc -Wwrite-strings... -Wwrite-strings____
> 
>         checking CFLAGS for gcc -Wsign-compare... -Wsign-compare____
> 
>         checking CFLAGS for gcc -Wcast-align... -Wcast-align____
> 
>         checking CFLAGS for gcc -Wextra... -Wextra____
> 
>         checking CFLAGS for gcc -Wformat... -Wformat____
> 
>         checking CFLAGS for gcc -Wformat-security... -Wformat-security____
> 
>         checking CFLAGS for gcc -Wno-unused-parameter... -Wno-unused-parameter____
> 
>         checking CFLAGS for gcc -fno-strict-aliasing... -fno-strict-aliasing____
> 
>         checking CFLAGS for gcc -fdiagnostics-show-option... -fdiagnostics-show-option____
> 
>         checking CFLAGS for gcc -pedantic -std=c99 -D_GNU_SOURCE... -pedantic -std=c99 -D_GNU_SOURCE____
> 
>         checking for getaddrinfo... yes____
> 
>         checking for flex... flex____
> 
>         checking for flex 2.4 or higher... yes____
> 
>         checking for bison... bison____
> 
>         checking linux/if_ether.h usability... yes____
> 
>         checking linux/if_ether.h presence... yes____
> 
>         checking for linux/if_ether.h... yes____
> 
>         checking linux/if_packet.h usability... yes____
> 
>         checking linux/if_packet.h presence... yes____
> 
>         checking for linux/if_packet.h... yes____
> 
>         checking pcap.h usability... yes____
> 
>         checking pcap.h presence... yes____
> 
>         checking for pcap.h... yes____
> 
>         checking for pcap_lib_version in -lpcap... yes____
> 
>         checking netinet/in.h usability... yes____
> 
>         checking netinet/in.h presence... yes____
> 
>         checking for netinet/in.h... yes____
> 
>         checking libipq.h usability... no____
> 
>         checking libipq.h presence... no____
> 
>         checking for libipq.h... no____
> 
>         checking for linux/netfilter.h... yes____
> 
>         checking for netinet/in.h... (cached) yes____
> 
>         checking libnetfilter_queue/libnetfilter_queue.h usability... no____
> 
>         checking libnetfilter_queue/libnetfilter_queue.h presence... no____
> 
>         checking for libnetfilter_queue/libnetfilter_queue.h... no____
> 
>         checking for linux/netfilter.h... (cached) yes____
> 
>         checking for pcap.h... (cached) yes____
> 
>         checking for pcap_lib_version... checking for pcap_lib_version in -lpcap... (cached) yes____
> 
>         checking for libpcap version >= "1.0.0"... yes____
> 
>         checking for dlopen in -ldl... yes____
> 
>         checking for inttypes.h... (cached) yes____
> 
>         checking for memory.h... (cached) yes____
> 
>         checking netdb.h usability... yes____
> 
>         checking netdb.h presence... yes____
> 
>         checking for netdb.h... yes____
> 
>         checking for netinet/in.h... (cached) yes____
> 
>         checking for stdint.h... (cached) yes____
> 
>         checking for stdlib.h... (cached) yes____
> 
>         checking for string.h... (cached) yes____
> 
>         checking sys/ioctl.h usability... yes____
> 
>         checking sys/ioctl.h presence... yes____
> 
>         checking for sys/ioctl.h... yes____
> 
>         checking sys/param.h usability... yes____
> 
>         checking sys/param.h presence... yes____
> 
>         checking for sys/param.h... yes____
> 
>         checking sys/socket.h usability... yes____
> 
>         checking sys/socket.h presence... yes____
> 
>         checking for sys/socket.h... yes____
> 
>         checking sys/time.h usability... yes____
> 
>         checking sys/time.h presence... yes____
> 
>         checking for sys/time.h... yes____
> 
>         checking for unistd.h... (cached) yes____
> 
>         checking for inline... inline____
> 
>         checking for size_t... yes____
> 
>         checking for uint16_t... yes____
> 
>         checking for uint32_t... yes____
> 
>         checking for uint64_t... yes____
> 
>         checking for uint8_t... yes____
> 
>         checking for stdlib.h... (cached) yes____
> 
>         checking for GNU libc compatible malloc... yes____
> 
>         checking for stdlib.h... (cached) yes____
> 
>         checking for unistd.h... (cached) yes____
> 
>         checking for sys/param.h... (cached) yes____
> 
>         checking for getpagesize... yes____
> 
>         checking for working mmap... yes____
> 
>         checking for gethostbyname... yes____
> 
>         checking for getpagesize... (cached) yes____
> 
>         checking for memset... yes____
> 
>         checking for munmap... yes____
> 
>         checking for socket... yes____
> 
>         checking for strchr... yes____
> 
>         checking for strcspn... yes____
> 
>         checking for strdup... yes____
> 
>         checking for strerror... yes____
> 
>         checking for strrchr... yes____
> 
>         checking for strstr... yes____
> 
>         checking for strtoul... yes____
> 
>         configure: creating ./config.status____
> 
>         config.status: creating Makefile____
> 
>         config.status: creating api/Makefile____
> 
>         config.status: creating os-daq-modules/Makefile____
> 
>         config.status: creating os-daq-modules/daq-modules-config____
> 
>         config.status: creating sfbpf/Makefile____
> 
>         config.status: creating config.h____
> 
>         config.status: config.h is unchanged____
> 
>         config.status: executing depfiles commands____
> 
>         config.status: executing libtool commands____
> 
>         __ __
> 
>         Build AFPacket DAQ module.. : yes____
> 
>         Build Dump DAQ module...... : yes____
> 
>         Build IPFW DAQ module...... : yes____
> 
>         Build IPQ DAQ module....... : no____
> 
>         Build NFQ DAQ module....... : no____
> 
>         Build PCAP DAQ module...... : yes____
> 
>         __ __
> 
>         Thanks in advance,____
> 
>         SK____
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 





More information about the Snort-users mailing list