[Snort-users] 32bit snort rpm

Al Lewis (allewi) allewi at ...589...
Mon Sep 28 19:34:12 EDT 2015


Add "inlcude /usr/local/lib" to /etc/ld.so.conf.


[root at ...274... alewis]# ls -al /usr/local/lib/libpcap.so.1
lrwxrwxrwx 1 root root 16 Sep 28 18:49 /usr/local/lib/libpcap.so.1 -> libpcap.so.1.7.4


[root at ...274... alewis]# ldconfig -v /usr/local/lib | grep pcap
ldconfig: Can't stat inlcude /usr/local/lib: No such file or directory
        libpcap.so.1 -> libpcap.so.1.7.4
        libpcap.so.0.9.4 -> libpcap.so.0.9.4
[root at ...274... alewis]#


You should be able to continue after that.

I just did it with daq-2.0.5



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...] 
Sent: Monday, September 28, 2015 6:57 PM
To: jlay at ...13475...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] 32bit snort rpm

Building in its own area sounds great, but I'm still not getting passed the make.
.
.
config.status: creating pcap_set_tstamp_precision.3pcap
config.status: creating pcap_set_tstamp_type.3pcap
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing default-1 commands

[root at ...17307... libpcap-1.7.4]# make
gcc -fpic -I.  -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include   -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -g -O2    -c ./pcap-dbus.c
./pcap-dbus.c: In function ‘dbus_write’:
./pcap-dbus.c:111: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function)
./pcap-dbus.c:111: error: (Each undeclared identifier is reported only once
./pcap-dbus.c:111: error: for each function it appears in.)
./pcap-dbus.c: In function ‘dbus_activate’:
./pcap-dbus.c:165: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function)
make: *** [pcap-dbus.o] Error 1




-----Original Message-----
From: James Lay [mailto:jlay at ...13475...]
Sent: Monday, September 28, 2015 2:24 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] 32bit snort rpm

On 2015-09-28 02:12 PM, Lamont, Brian A. wrote:
> daq is still needing 1.0.0 back to the beginning it looks like.
> 
> ------
> 
> checking for libpcap version >= "1.0.0"... no
> 
>  ERROR! Libpcap library version >= 1.0.0 not found.
> 
>  Get it from http://www.tcpdump.org [1]
> 
> -----------
> 
> So I found these options and ran it. But I'm not sure if it daq built 
> "without" libpcap-1.0.0, and instead, or WITH the 1.7.4 library in 
> /usr/local/lib, which seemed like a default but specified it anyway.
> Libpcap install config.log completed without errors. Do any of you see 
> an issue with the way this built?
> 
> ./configure --disable-pcap-module
> --with-libpcap-libraries=/usr/local/lib
> 
> FROM: Lamont, Brian A.
>  SENT: Monday, September 28, 2015 12:50 PM
>  TO: Lamont, Brian A.; Al Lewis (allewi); Russ Combs (rucombs); 
> Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Got it to go with -enable-dbus=no.
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 28, 2015 12:39 PM
>  TO: Al Lewis (allewi); Russ Combs (rucombs); Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: Re: [Snort-users] 32bit snort rpm
> 
> I uninstalled libpcap 1.0.0 using make uninstall. Please let me know 
> if this is complete clean removal. But during make install of version
> 1.7 it errored below. Anyone seen this before?
> 
> ./pcap-dbus.c: In function 'dbus_write':
> 
> ./pcap-dbus.c:111: error: 'DBUS_ERROR_INIT' undeclared (first use in 
> this function)
> 
> ./pcap-dbus.c:111: error: (Each undeclared identifier is reported only 
> once
> 
> ./pcap-dbus.c:111: error: for each function it appears in.)
> 
> ./pcap-dbus.c: In function 'dbus_activate':
> 
> ./pcap-dbus.c:165: error: 'DBUS_ERROR_INIT' undeclared (first use in 
> this function)
> 
> make: *** [pcap-dbus.o] Error 1
> 
> FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
>  SENT: Monday, September 28, 2015 9:46 AM
>  TO: Lamont, Brian A.; Russ Combs (rucombs); Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Try this..
> 
> Unistall libpcap.
> 
> Then get it from tcpdump.org
> 
> http://www.tcpdump.org/#latest-release [5]
> 
> Libpcap version 1.7 is available.
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...589...
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 28, 2015 12:21 PM
>  TO: Al Lewis (allewi); Russ Combs (rucombs); Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Tried that. And Redhat apparently does not have the 1.0.0 available, 
> which is odd given the "…years ago…" reference below. It may be part 
> of another channel we are not subscribed to so I will open a case with 
> them for that.
> 
> This system is receiving updates from RHN Classic or RHN Satellite.
> 
> Setting up Install Process
> 
> Package 14:libpcap-devel-0.9.4-15.el5.i386 already installed and 
> latest version
> 
> Nothing to do
> 
> FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
>  SENT: Monday, September 28, 2015 9:17 AM
>  TO: Lamont, Brian A.; Russ Combs (rucombs); Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> For redhat libpcap devel is:
> 
> "yum install libpcap-devel"
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...589...
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 28, 2015 12:00 PM
>  TO: Russ Combs (rucombs); Al Lewis (allewi); Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Ok I'm back at this again. To recap, I'm trying to build snort 32bit 
> on rhel 5.11, but running in to dependency problems. While starting a 
> rpmbuild of daq, I started seeing errors. Below is what ldd snort 
> shows on 64 linux. I found another site that suggested installing 
> libpcap-devel so that libpcap would build, then install daq, and then 
> snort. But I have not been able to find libpcap-devel source pkg to 
> download for Rhel 5 32bit.
> 
> Here is how my install of libpcap-1.0.0 finishes and appears
> 
> ----------------------------------------------------------
> 
>  /usr/bin/install -c -m 644 ./$i \
> 
>  /usr/local/share/man/man3/$i; done
> 
> ln /usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap \
> 
>  /usr/local/share/man/man3/pcap_datalink_val_to_description.3pcap
> 
> ln: creating hard link
> `/usr/local/share/man/man3/pcap_datalink_val_to_description.3pcap' to
> `/usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap': File 
> exists
> 
> make: *** [install] Error 1
> 
> But my daq install errors unable to find libpcap
> 
> ---------------------------------------------------------
> 
> checking for libpcap version >= "1.0.0"... no
> 
>  ERROR! Libpcap library version >= 1.0.0 not found.
> 
>  Get it from http://www.tcpdump.org [1]
> 
> [root at ...17321... ~]# ldd /usr/local/bin/snort
> 
>  linux-vdso.so.1 => (0x00007fffb7ffd000)
> 
>  libdnet.1 => /usr/lib64/libdnet.1 (0x00002ba25825d000)
> 
>  libpcre.so.0 => /lib64/libpcre.so.0 (0x00002ba25846d000)
> 
>  libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ba25868c000)
> 
>  libuuid.so.1 => /lib64/libuuid.so.1 (0x00002ba2588a5000)
> 
>  libm.so.6 => /lib64/libm.so.6 (0x00002ba258aa9000)
> 
>  libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002ba258d2c000)
> 
>  libdl.so.2 => /lib64/libdl.so.2 (0x00002ba25907f000)
> 
>  libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00002ba259283000)
> 
>  libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00002ba2594a6000)
> 
>  libz.so.1 => /lib64/libz.so.1 (0x00002ba2596e1000)
> 
>  libpthread.so.0 => /lib64/libpthread.so.0 (0x00002ba2598f5000)
> 
>  libc.so.6 => /lib64/libc.so.6 (0x00002ba259b11000)
> 
>  /lib64/ld-linux-x86-64.so.2 (0x00002ba25803f000)
> 
> [root at ...17321... ~]# snort -V
> 
>  ,,_ -*> Snort! <*-
> 
>  o" )~ Version 2.9.7.0 GRE (Build 149)
> 
>  '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team [6]
> 
>  Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
> 
>  Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> 
>  USING LIBPCAP VERSION 1.6.2
> 
>  Using PCRE version: 6.6 06-Feb-2006
> 
>  Using ZLIB version: 1.2.3
> 
> FROM: Russ [mailto:rucombs at ...589...]
>  SENT: Tuesday, September 15, 2015 3:18 PM
>  TO: Lamont, Brian A.; Al Lewis (allewi); Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: Re: [Snort-users] 32bit snort rpm
> 
> On 9/15/15 5:43 PM, Lamont, Brian A. wrote:
> 
>> So I'm a failure at building from the source rpm of daq, and pretty 
>> darn new to building rpms, so my next attempt below is to build from 
>> source, and that didn't go well.
>> 
>> [root at ...17307... snort]# rpmbuild --rebuild daq-2.0.6-1.src.rpm
>> 
>> Installing daq-2.0.6-1.src.rpm
>> 
>> error: unpacking of archive failed on file
>> /usr/src/redhat/SOURCES/daq-2.0.6.tar.gz;55f88cd3: cpio: MD5 sum 
>> mismatch
>> 
>> error: daq-2.0.6-1.src.rpm cannot be installed
>> 
>> From source:
>> 
>> ----------------
>> 
>> [root at ...17307... snort]# cd daq-2.0.6
>> 
>> [root at ...17307... daq-2.0.6]# vi README
>> 
>> [root at ...17307... daq-2.0.6]# ./configure
>> 
>> checking for a BSD-compatible install... /usr/bin/install -c
>> 
>> checking whether build environment is sane... yes
>> 
>> checking for a thread-safe mkdir -p... /bin/mkdir -p
>> 
>> checking for gawk... gawk
>> 
>> .
>> 
>> . …omitted..
>> 
>> ..
>> 
>> checking libnetfilter_queue/libnetfilter_queue.h presence... no
>> 
>> checking for libnetfilter_queue/libnetfilter_queue.h... no
>> 
>> checking for linux/netfilter.h... (cached) yes
>> 
>> checking for pcap.h... (cached) yes
>> 
>> checking for pcap_lib_version... checking for pcap_lib_version in 
>> -lpcap... (cached) yes
>> 
>> checking for libpcap version >= "1.0.0"... no
>> 
>> ERROR! Libpcap library version >= 1.0.0 not found.
>> 
>> Get it from http://www.tcpdump.org [1]
>> 
>> Current version of libpcap - same version on 64bit hosts and they 
>> work fine.
>> 
>> ---------------------------------
>> 
>> [root at ...17307... daq-2.0.6]# rpm -qa |grep libpcap
>> 
>> libpcap-devel-0.9.4-15.el5
>> 
>> libpcap-0.9.4-15.el5
> 
> We started requiring 1.0.0+ years ago. On those 64-bit hosts, what 
> does ldd snort show? Is that where rpm installed those? You can also 
> check snort -V to see the version.
> 
> FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
>  SENT: Tuesday, September 15, 2015 12:05 PM
>  TO: Lamont, Brian A.; Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> You should be able to build from source but you need the daq installed 
> first.
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...589...
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Tuesday, September 15, 2015 10:39 AM
>  TO: Al Lewis (allewi); Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> I am needing to install snort on approx.. 25 32bit RHEL (REDHAT LINUX)
> 5 servers
> 
> FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
>  SENT: Monday, September 14, 2015 7:10 PM
>  TO: Lamont, Brian A.; Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Are you trying to install on windows or *nix?
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...589...
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 14, 2015 7:00 PM
>  TO: Michael Steele; snort-users at lists.sourceforge.net
>  SUBJECT: Re: [Snort-users] 32bit snort rpm
> 
> But I should be able to build from source, at least according to one 
> of the README files, correct? I have started one build after 
> installing the libpcap and other prereqs, and it started to take off 
> and look like a build, then failed for the error below. Where can I 
> find the sfbpf library?
> 
> [root at ...17307... snort]# rpmbuild -ta snort-2.9.7.5.tar.gz
> 
> Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.9801
> 
> + umask 022
> 
> + cd /usr/src/redhat/BUILD
> 
> + LANG=C
> 
> + export LANG
> 
> + unset DISPLAY
> 
> + cd /usr/src/redhat/BUILD
> 
> + rm -rf snort-2.9.7.5
> 
> + /usr/bin/gzip -dc /var/tmp/snort/snort-2.9.7.5.tar.gz
> 
> .
> 
> ..
> 
> checking for INADDR_NONE... yes
> 
> checking for __FUNCTION__... yes
> 
> checking for sfbpf_compile in -lsfbpf... no
> 
>  ERROR! sfbpf library not found, go get it from
> 
>  http://www.snort.org/ [7].
> 
> error: Bad exit status from /var/tmp/rpm-tmp.9801 (%build)
> 
> RPM build errors:
> 
>  Bad exit status from /var/tmp/rpm-tmp.9801 (%build)
> 
> FROM: Michael Steele [mailto:michaels at ...9077...]
>  SENT: Monday, September 14, 2015 3:37 PM
>  TO: Lamont, Brian A.
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Snort is 32bit for Window, but the remainder of the support programs 
> are 64bit. There are 32bit and 64bit installation tutorials for 
> Windows.
> 
> Kindest regards,
> 
> Michael...
> 
> WINSNORT.com Management Team Member
> 
> --
> 
> ****************** Established ~ 2001 *******************
> 
> * Visit Us @ http://www.winsnort.com [8] *
> 
> * ~~ FREE WinIDS Snort installation guides ~~ *
> 
> * ~~ FREE support forums ~~ *
> 
> * Snort: Open Source Network IDS - http://www.snort.org [9] *
> 
> *********************************************************
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 14, 2015 6:22 PM
>  TO: snort-users at lists.sourceforge.net
>  SUBJECT: [Snort-users] 32bit snort rpm
> 
> I am needing to install snort on approx.. 25 32bit Rhel 5 servers. I 
> see there is a 64bit rpm on the website. Is there a 32bit package 
> available?
> 
> _BRIAN LAMONT_
> 
> UNIX SYSTEMS ADMIN
> 
> DESK:  480 586-9986
> 
> CELL:     480 209-8751
> 
> brian.lamont at ...17273...

If this was me, at this point, I would just create snort and it's dependencies in their own environment(with a little fudging) like so:

libpcap:
snag latest at http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz
./configure --prefix=/opt/snortbuild

sudo ln -s /opt/snortbuild/bin/pcap-config /usr/sbin/


For some reason daq has issues with finding libpcap.so.1 so:
(as root) echo "/opt/snortbuild/lib" > /etc/ld.so.conf.d/snort.conf (or symlink it to your lib path)

libdnet:
snag latest at
http://pkgs.fedoraproject.org/repo/pkgs/libdnet/libdnet-1.12.tgz/9253ef6de1b5e28e9c9a62b882e44cc9/libdnet-1.12.tgz
and ./configure --prefix=/opt/snortbuild

sudo ln -s /opt/snortbuild/bin/dnet-config /usr/bin/


daq:
snag latest at https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
./configure --prefix=/opt/snort
--with-libpcap-includes=/opt/snortbuild/include
--with-libpcap-libraries=/opt/snortbuild/lib
--with-dnet-includes=/opt/snortbuild/include
--with-dnet-libraries=/opt/snortbuild/lib

sudo ln -s /opt/snortbuild/bin/daq-modules-config /usr/bin/


snort:
snag at https://www.snort.org/downloads/snort/snort-2.9.7.5.tar.gz and configure with ./configure --prefix=/opt/snort --enable-sourcefire --with-daq-includes=/opt/snortbuild/include
--with-daq-libraries=/opt/snortbuild/lib
--with-dnet-includes=/opt/snortbuild/include
--with-dnet-libraries=/opt/snortbuild/lib
--with-libpcap-includes=/opt/snortbuild/include
--with-libpcap-libraries=/opt/snortbuild/lib

snort refuses to find libdnet.1 so you'll need to make a symlink to your lib path such as: sudo ln -s /opt/snortbuild/lib/libdnet.1.0.1
/lib/i386-linux-gnu/libdnet.1

vbox:/opt/snort/bin$ ldd snort
	linux-gate.so.1 =>  (0xb7759000)
	libdnet.1 => /lib/i386-linux-gnu/libdnet.1 (0xb772c000)
	libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb76ba000)
	libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb766c000)
	libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0
(0xb7498000)
	libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb7493000)
	libsfbpf.so.0 => /opt/snortbuild/lib/libsfbpf.so.0 (0xb746b000)
	libpcap.so.1 => /opt/snortbuild/lib/libpcap.so.1 (0xb7425000)
	libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb7409000)
	libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb73ec000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7231000)
	/lib/ld-linux.so.2 (0xb775a000)

vbox:/opt/snort/bin$ ./snort --version

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.7.5 GRE (Build 262)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/contact#team
            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.7.4
            Using PCRE version: 8.35 2014-04-04
            Using ZLIB version: 1.2.8

At this point if you want to push this out as a package you can tar.bz2 /opt/snortbuild and /opt/snort as well as the lib symlinks and away you go.  Hope that helps.

James

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list