[Snort-users] 32bit snort rpm

James Lay jlay at ...13475...
Mon Sep 28 19:20:56 EDT 2015


On Mon, 2015-09-28 at 22:57 +0000, Lamont, Brian A. wrote:

> Building in its own area sounds great, but I'm still not getting passed the make.
> .
> .
> config.status: creating pcap_set_tstamp_precision.3pcap
> config.status: creating pcap_set_tstamp_type.3pcap
> config.status: creating config.h
> config.status: config.h is unchanged
> config.status: executing default-1 commands
> 
> [root at ...17307... libpcap-1.7.4]# make
> gcc -fpic -I.  -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include   -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -g -O2    -c ./pcap-dbus.c
> ./pcap-dbus.c: In function ‘dbus_write’:
> ./pcap-dbus.c:111: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function)
> ./pcap-dbus.c:111: error: (Each undeclared identifier is reported only once
> ./pcap-dbus.c:111: error: for each function it appears in.)
> ./pcap-dbus.c: In function ‘dbus_activate’:
> ./pcap-dbus.c:165: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function)
> make: *** [pcap-dbus.o] Error 1
> 
> 
> 
> 
> -----Original Message-----
> From: James Lay [mailto:jlay at ...13475...] 
> Sent: Monday, September 28, 2015 2:24 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] 32bit snort rpm
> 
> On 2015-09-28 02:12 PM, Lamont, Brian A. wrote:
> > daq is still needing 1.0.0 back to the beginning it looks like.
> > 
> > ------
> > 
> > checking for libpcap version >= "1.0.0"... no
> > 
> >  ERROR! Libpcap library version >= 1.0.0 not found.
> > 
> >  Get it from http://www.tcpdump.org [1]
> > 
> > -----------
> > 
> > So I found these options and ran it. But I'm not sure if it daq built 
> > "without" libpcap-1.0.0, and instead, or WITH the 1.7.4 library in 
> > /usr/local/lib, which seemed like a default but specified it anyway.
> > Libpcap install config.log completed without errors. Do any of you see 
> > an issue with the way this built?
> > 
> > ./configure --disable-pcap-module
> > --with-libpcap-libraries=/usr/local/lib
> > 
> > FROM: Lamont, Brian A.
> >  SENT: Monday, September 28, 2015 12:50 PM
> >  TO: Lamont, Brian A.; Al Lewis (allewi); Russ Combs (rucombs); 
> > Michael Steele
> >  CC: snort-users at lists.sourceforge.net
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > Got it to go with -enable-dbus=no.
> > 
> > FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
> >  SENT: Monday, September 28, 2015 12:39 PM
> >  TO: Al Lewis (allewi); Russ Combs (rucombs); Michael Steele
> >  CC: snort-users at lists.sourceforge.net
> >  SUBJECT: Re: [Snort-users] 32bit snort rpm
> > 
> > I uninstalled libpcap 1.0.0 using make uninstall. Please let me know 
> > if this is complete clean removal. But during make install of version
> > 1.7 it errored below. Anyone seen this before?
> > 
> > ./pcap-dbus.c: In function 'dbus_write':
> > 
> > ./pcap-dbus.c:111: error: 'DBUS_ERROR_INIT' undeclared (first use in 
> > this function)
> > 
> > ./pcap-dbus.c:111: error: (Each undeclared identifier is reported only 
> > once
> > 
> > ./pcap-dbus.c:111: error: for each function it appears in.)
> > 
> > ./pcap-dbus.c: In function 'dbus_activate':
> > 
> > ./pcap-dbus.c:165: error: 'DBUS_ERROR_INIT' undeclared (first use in 
> > this function)
> > 
> > make: *** [pcap-dbus.o] Error 1
> > 
> > FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
> >  SENT: Monday, September 28, 2015 9:46 AM
> >  TO: Lamont, Brian A.; Russ Combs (rucombs); Michael Steele
> >  CC: snort-users at lists.sourceforge.net
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > Try this..
> > 
> > Unistall libpcap.
> > 
> > Then get it from tcpdump.org
> > 
> > http://www.tcpdump.org/#latest-release [5]
> > 
> > Libpcap version 1.7 is available.
> > 
> > Albert Lewis
> > 
> > QA Software Engineer
> > 
> > SOURCEFIRE, Inc. now part of CISCO
> > 
> > 9780 Patuxent Woods Drive
> >  Columbia, MD 21046
> > 
> > Phone: (office) 443.430.7112
> > 
> > Email: allewi at ...589...
> > 
> > FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
> >  SENT: Monday, September 28, 2015 12:21 PM
> >  TO: Al Lewis (allewi); Russ Combs (rucombs); Michael Steele
> >  CC: snort-users at lists.sourceforge.net
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > Tried that. And Redhat apparently does not have the 1.0.0 available, 
> > which is odd given the "…years ago…" reference below. It may be part 
> > of another channel we are not subscribed to so I will open a case with 
> > them for that.
> > 
> > This system is receiving updates from RHN Classic or RHN Satellite.
> > 
> > Setting up Install Process
> > 
> > Package 14:libpcap-devel-0.9.4-15.el5.i386 already installed and 
> > latest version
> > 
> > Nothing to do
> > 
> > FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
> >  SENT: Monday, September 28, 2015 9:17 AM
> >  TO: Lamont, Brian A.; Russ Combs (rucombs); Michael Steele
> >  CC: snort-users at lists.sourceforge.net
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > For redhat libpcap devel is:
> > 
> > "yum install libpcap-devel"
> > 
> > Albert Lewis
> > 
> > QA Software Engineer
> > 
> > SOURCEFIRE, Inc. now part of CISCO
> > 
> > 9780 Patuxent Woods Drive
> >  Columbia, MD 21046
> > 
> > Phone: (office) 443.430.7112
> > 
> > Email: allewi at ...589...
> > 
> > FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
> >  SENT: Monday, September 28, 2015 12:00 PM
> >  TO: Russ Combs (rucombs); Al Lewis (allewi); Michael Steele; 
> > snort-users at lists.sourceforge.net
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > Ok I'm back at this again. To recap, I'm trying to build snort 32bit 
> > on rhel 5.11, but running in to dependency problems. While starting a 
> > rpmbuild of daq, I started seeing errors. Below is what ldd snort 
> > shows on 64 linux. I found another site that suggested installing 
> > libpcap-devel so that libpcap would build, then install daq, and then 
> > snort. But I have not been able to find libpcap-devel source pkg to 
> > download for Rhel 5 32bit.
> > 
> > Here is how my install of libpcap-1.0.0 finishes and appears
> > 
> > ----------------------------------------------------------
> > 
> >  /usr/bin/install -c -m 644 ./$i \
> > 
> >  /usr/local/share/man/man3/$i; done
> > 
> > ln /usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap \
> > 
> >  /usr/local/share/man/man3/pcap_datalink_val_to_description.3pcap
> > 
> > ln: creating hard link
> > `/usr/local/share/man/man3/pcap_datalink_val_to_description.3pcap' to
> > `/usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap': File 
> > exists
> > 
> > make: *** [install] Error 1
> > 
> > But my daq install errors unable to find libpcap
> > 
> > ---------------------------------------------------------
> > 
> > checking for libpcap version >= "1.0.0"... no
> > 
> >  ERROR! Libpcap library version >= 1.0.0 not found.
> > 
> >  Get it from http://www.tcpdump.org [1]
> > 
> > [root at ...17321... ~]# ldd /usr/local/bin/snort
> > 
> >  linux-vdso.so.1 => (0x00007fffb7ffd000)
> > 
> >  libdnet.1 => /usr/lib64/libdnet.1 (0x00002ba25825d000)
> > 
> >  libpcre.so.0 => /lib64/libpcre.so.0 (0x00002ba25846d000)
> > 
> >  libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ba25868c000)
> > 
> >  libuuid.so.1 => /lib64/libuuid.so.1 (0x00002ba2588a5000)
> > 
> >  libm.so.6 => /lib64/libm.so.6 (0x00002ba258aa9000)
> > 
> >  libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002ba258d2c000)
> > 
> >  libdl.so.2 => /lib64/libdl.so.2 (0x00002ba25907f000)
> > 
> >  libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00002ba259283000)
> > 
> >  libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00002ba2594a6000)
> > 
> >  libz.so.1 => /lib64/libz.so.1 (0x00002ba2596e1000)
> > 
> >  libpthread.so.0 => /lib64/libpthread.so.0 (0x00002ba2598f5000)
> > 
> >  libc.so.6 => /lib64/libc.so.6 (0x00002ba259b11000)
> > 
> >  /lib64/ld-linux-x86-64.so.2 (0x00002ba25803f000)
> > 
> > [root at ...17321... ~]# snort -V
> > 
> >  ,,_ -*> Snort! <*-
> > 
> >  o" )~ Version 2.9.7.0 GRE (Build 149)
> > 
> >  '''' By Martin Roesch & The Snort Team:
> > http://www.snort.org/contact#team [6]
> > 
> >  Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
> > 
> >  Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> > 
> >  USING LIBPCAP VERSION 1.6.2
> > 
> >  Using PCRE version: 6.6 06-Feb-2006
> > 
> >  Using ZLIB version: 1.2.3
> > 
> > FROM: Russ [mailto:rucombs at ...589...]
> >  SENT: Tuesday, September 15, 2015 3:18 PM
> >  TO: Lamont, Brian A.; Al Lewis (allewi); Michael Steele; 
> > snort-users at lists.sourceforge.net
> >  SUBJECT: Re: [Snort-users] 32bit snort rpm
> > 
> > On 9/15/15 5:43 PM, Lamont, Brian A. wrote:
> > 
> >> So I'm a failure at building from the source rpm of daq, and pretty 
> >> darn new to building rpms, so my next attempt below is to build from 
> >> source, and that didn't go well.
> >> 
> >> [root at ...17307... snort]# rpmbuild --rebuild daq-2.0.6-1.src.rpm
> >> 
> >> Installing daq-2.0.6-1.src.rpm
> >> 
> >> error: unpacking of archive failed on file
> >> /usr/src/redhat/SOURCES/daq-2.0.6.tar.gz;55f88cd3: cpio: MD5 sum 
> >> mismatch
> >> 
> >> error: daq-2.0.6-1.src.rpm cannot be installed
> >> 
> >> From source:
> >> 
> >> ----------------
> >> 
> >> [root at ...17307... snort]# cd daq-2.0.6
> >> 
> >> [root at ...17307... daq-2.0.6]# vi README
> >> 
> >> [root at ...17307... daq-2.0.6]# ./configure
> >> 
> >> checking for a BSD-compatible install... /usr/bin/install -c
> >> 
> >> checking whether build environment is sane... yes
> >> 
> >> checking for a thread-safe mkdir -p... /bin/mkdir -p
> >> 
> >> checking for gawk... gawk
> >> 
> >> .
> >> 
> >> . …omitted..
> >> 
> >> ..
> >> 
> >> checking libnetfilter_queue/libnetfilter_queue.h presence... no
> >> 
> >> checking for libnetfilter_queue/libnetfilter_queue.h... no
> >> 
> >> checking for linux/netfilter.h... (cached) yes
> >> 
> >> checking for pcap.h... (cached) yes
> >> 
> >> checking for pcap_lib_version... checking for pcap_lib_version in 
> >> -lpcap... (cached) yes
> >> 
> >> checking for libpcap version >= "1.0.0"... no
> >> 
> >> ERROR! Libpcap library version >= 1.0.0 not found.
> >> 
> >> Get it from http://www.tcpdump.org [1]
> >> 
> >> Current version of libpcap - same version on 64bit hosts and they 
> >> work fine.
> >> 
> >> ---------------------------------
> >> 
> >> [root at ...17307... daq-2.0.6]# rpm -qa |grep libpcap
> >> 
> >> libpcap-devel-0.9.4-15.el5
> >> 
> >> libpcap-0.9.4-15.el5
> > 
> > We started requiring 1.0.0+ years ago. On those 64-bit hosts, what 
> > does ldd snort show? Is that where rpm installed those? You can also 
> > check snort -V to see the version.
> > 
> > FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
> >  SENT: Tuesday, September 15, 2015 12:05 PM
> >  TO: Lamont, Brian A.; Michael Steele; 
> > snort-users at lists.sourceforge.net
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > You should be able to build from source but you need the daq installed 
> > first.
> > 
> > Albert Lewis
> > 
> > QA Software Engineer
> > 
> > SOURCEFIRE, Inc. now part of CISCO
> > 
> > 9780 Patuxent Woods Drive
> >  Columbia, MD 21046
> > 
> > Phone: (office) 443.430.7112
> > 
> > Email: allewi at ...589...
> > 
> > FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
> >  SENT: Tuesday, September 15, 2015 10:39 AM
> >  TO: Al Lewis (allewi); Michael Steele; 
> > snort-users at lists.sourceforge.net
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > I am needing to install snort on approx.. 25 32bit RHEL (REDHAT LINUX)
> > 5 servers
> > 
> > FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
> >  SENT: Monday, September 14, 2015 7:10 PM
> >  TO: Lamont, Brian A.; Michael Steele; 
> > snort-users at lists.sourceforge.net
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > Are you trying to install on windows or *nix?
> > 
> > Albert Lewis
> > 
> > QA Software Engineer
> > 
> > SOURCEFIRE, Inc. now part of CISCO
> > 
> > 9780 Patuxent Woods Drive
> >  Columbia, MD 21046
> > 
> > Phone: (office) 443.430.7112
> > 
> > Email: allewi at ...589...
> > 
> > FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
> >  SENT: Monday, September 14, 2015 7:00 PM
> >  TO: Michael Steele; snort-users at lists.sourceforge.net
> >  SUBJECT: Re: [Snort-users] 32bit snort rpm
> > 
> > But I should be able to build from source, at least according to one 
> > of the README files, correct? I have started one build after 
> > installing the libpcap and other prereqs, and it started to take off 
> > and look like a build, then failed for the error below. Where can I 
> > find the sfbpf library?
> > 
> > [root at ...17307... snort]# rpmbuild -ta snort-2.9.7.5.tar.gz
> > 
> > Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.9801
> > 
> > + umask 022
> > 
> > + cd /usr/src/redhat/BUILD
> > 
> > + LANG=C
> > 
> > + export LANG
> > 
> > + unset DISPLAY
> > 
> > + cd /usr/src/redhat/BUILD
> > 
> > + rm -rf snort-2.9.7.5
> > 
> > + /usr/bin/gzip -dc /var/tmp/snort/snort-2.9.7.5.tar.gz
> > 
> > .
> > 
> > ..
> > 
> > checking for INADDR_NONE... yes
> > 
> > checking for __FUNCTION__... yes
> > 
> > checking for sfbpf_compile in -lsfbpf... no
> > 
> >  ERROR! sfbpf library not found, go get it from
> > 
> >  http://www.snort.org/ [7].
> > 
> > error: Bad exit status from /var/tmp/rpm-tmp.9801 (%build)
> > 
> > RPM build errors:
> > 
> >  Bad exit status from /var/tmp/rpm-tmp.9801 (%build)
> > 
> > FROM: Michael Steele [mailto:michaels at ...9077...]
> >  SENT: Monday, September 14, 2015 3:37 PM
> >  TO: Lamont, Brian A.
> >  SUBJECT: RE: [Snort-users] 32bit snort rpm
> > 
> > Snort is 32bit for Window, but the remainder of the support programs 
> > are 64bit. There are 32bit and 64bit installation tutorials for 
> > Windows.
> > 
> > Kindest regards,
> > 
> > Michael...
> > 
> > WINSNORT.com Management Team Member
> > 
> > --
> > 
> > ****************** Established ~ 2001 *******************
> > 
> > * Visit Us @ http://www.winsnort.com [8] *
> > 
> > * ~~ FREE WinIDS Snort installation guides ~~ *
> > 
> > * ~~ FREE support forums ~~ *
> > 
> > * Snort: Open Source Network IDS - http://www.snort.org [9] *
> > 
> > *********************************************************
> > 
> > FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
> >  SENT: Monday, September 14, 2015 6:22 PM
> >  TO: snort-users at lists.sourceforge.net
> >  SUBJECT: [Snort-users] 32bit snort rpm
> > 
> > I am needing to install snort on approx.. 25 32bit Rhel 5 servers. I 
> > see there is a 64bit rpm on the website. Is there a 32bit package 
> > available?
> > 
> > _BRIAN LAMONT_
> > 
> > UNIX SYSTEMS ADMIN
> > 
> > DESK:  480 586-9986
> > 
> > CELL:     480 209-8751
> > 
> > brian.lamont at ...17273...
> 
> If this was me, at this point, I would just create snort and it's dependencies in their own environment(with a little fudging) like so:
> 
> libpcap:
> snag latest at http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz
> ./configure --prefix=/opt/snortbuild
> 
> sudo ln -s /opt/snortbuild/bin/pcap-config /usr/sbin/
> 
> 
> For some reason daq has issues with finding libpcap.so.1 so:
> (as root) echo "/opt/snortbuild/lib" > /etc/ld.so.conf.d/snort.conf (or symlink it to your lib path)
> 
> libdnet:
> snag latest at
> http://pkgs.fedoraproject.org/repo/pkgs/libdnet/libdnet-1.12.tgz/9253ef6de1b5e28e9c9a62b882e44cc9/libdnet-1.12.tgz
> and ./configure --prefix=/opt/snortbuild
> 
> sudo ln -s /opt/snortbuild/bin/dnet-config /usr/bin/
> 
> 
> daq:
> snag latest at https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
> ./configure --prefix=/opt/snort
> --with-libpcap-includes=/opt/snortbuild/include
> --with-libpcap-libraries=/opt/snortbuild/lib
> --with-dnet-includes=/opt/snortbuild/include
> --with-dnet-libraries=/opt/snortbuild/lib
> 
> sudo ln -s /opt/snortbuild/bin/daq-modules-config /usr/bin/
> 
> 
> snort:
> snag at https://www.snort.org/downloads/snort/snort-2.9.7.5.tar.gz and configure with ./configure --prefix=/opt/snort --enable-sourcefire --with-daq-includes=/opt/snortbuild/include
> --with-daq-libraries=/opt/snortbuild/lib
> --with-dnet-includes=/opt/snortbuild/include
> --with-dnet-libraries=/opt/snortbuild/lib
> --with-libpcap-includes=/opt/snortbuild/include
> --with-libpcap-libraries=/opt/snortbuild/lib
> 
> snort refuses to find libdnet.1 so you'll need to make a symlink to your lib path such as: sudo ln -s /opt/snortbuild/lib/libdnet.1.0.1
> /lib/i386-linux-gnu/libdnet.1
> 
> vbox:/opt/snort/bin$ ldd snort
> 	linux-gate.so.1 =>  (0xb7759000)
> 	libdnet.1 => /lib/i386-linux-gnu/libdnet.1 (0xb772c000)
> 	libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb76ba000)
> 	libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb766c000)
> 	libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0
> (0xb7498000)
> 	libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb7493000)
> 	libsfbpf.so.0 => /opt/snortbuild/lib/libsfbpf.so.0 (0xb746b000)
> 	libpcap.so.1 => /opt/snortbuild/lib/libpcap.so.1 (0xb7425000)
> 	libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb7409000)
> 	libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb73ec000)
> 	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7231000)
> 	/lib/ld-linux.so.2 (0xb775a000)
> 
> vbox:/opt/snort/bin$ ./snort --version
> 
>     ,,_     -*> Snort! <*-
>    o"  )~   Version 2.9.7.5 GRE (Build 262)
>     ''''    By Martin Roesch & The Snort Team: 
> http://www.snort.org/contact#team
>             Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
>             Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>             Using libpcap version 1.7.4
>             Using PCRE version: 8.35 2014-04-04
>             Using ZLIB version: 1.2.8
> 
> At this point if you want to push this out as a package you can tar.bz2 /opt/snortbuild and /opt/snort as well as the lib symlinks and away you go.  Hope that helps.
> 
> James
> 
> ------------------------------------------------------------------------------

Ya nuke the dbus...it's only there if you planning on capturing dbus
traffic.

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150928/cc0c019a/attachment.html>


More information about the Snort-users mailing list