[Snort-users] 32bit snort rpm

Al Lewis (allewi) allewi at ...589...
Wed Sep 30 19:43:23 EDT 2015


Is this a copy paste error?

"/usr/local/lib/libpcap.so.1 -> /opt/snort-build/lib"

If not... I think your link is wrong.

This---> /usr/local/lib/libpcap.so.1

Should link to your libpcap file and not the directory.



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...] 
Sent: Wednesday, September 30, 2015 7:29 PM
To: Al Lewis (allewi)
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] 32bit snort rpm

Appears to be a library linkage that’s not right, and maybe it's obvious but I don't chase these issues much.   So while I continue to look I'll send you what I have.   

Since we installed libpcap.so.1.7.4, I'm guessing we need to make sure libpcap.so.1 can find it.  In the  startup script I have LD_LIBRARY_PATH exported as follows:

LD_LIBRARY_PATH=/opt/snort-build/lib:/usr/local/lib;        export LD_LIBRARY_PATH;


The error
---
[root at ...17307... rc3.d]# ./S99snortd start
/usr/local/bin/snort: error while loading shared libraries: /usr/local/lib/libpcap.so.1: cannot read file data: Error 21


Links to libpcap.so.1
---
[root at ...17307... ~]# ls -al /usr/local/lib/libpcap* lrwxrwxrwx 1 root root 20 Sep 29 14:42 /usr/local/lib/libpcap.so.1 -> /opt/snort-build/lib


/opt/snort-build is where is built snort and all packages.
---
[root at ...17307... ~]# ls -al /opt/snort-build/lib/libpcap*
-rw-r--r-- 1 root root 695832 Sep 29 14:06 /opt/snort-build/lib/libpcap.a
lrwxrwxrwx 1 root root     12 Sep 29 14:06 /opt/snort-build/lib/libpcap.so -> libpcap.so.1
lrwxrwxrwx 1 root root     16 Sep 29 14:06 /opt/snort-build/lib/libpcap.so.1 -> libpcap.so.1.7.4
-rwxr-xr-x 1 root root 520356 Sep 29 14:06 /opt/snort-build/lib/libpcap.so.1.7.4
[root at ...17307... ~]#



-----Original Message-----
From: Al Lewis (allewi) [mailto:allewi at ...589...] 
Sent: Tuesday, September 29, 2015 3:05 PM
To: Lamont, Brian A.
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] 32bit snort rpm

Try running ldconfig or exporting the library path "export LD_LIBRARY_PATH=/usr/local/lib" before running snort


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
Sent: Tuesday, September 29, 2015 6:02 PM
To: Al Lewis (allewi)
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] 32bit snort rpm

Got libpcap, daq and snort installed.   Will see if it works tomorrow.    I had built a snort  rpm but after successful daq and libpcap install, it complained about unable to find libpcap and one other.

[root at ...17307... i386]# rpm -i snort-2.9.7.5-1.i386.rpm
error: Failed dependencies:
        libpcap.so.1 is needed by snort-2.9.7.5-1.i386
        libsfbpf.so.0 is needed by snort-2.9.7.5-1.i386



-----Original Message-----
From: Al Lewis (allewi) [mailto:allewi at ...589...]
Sent: Monday, September 28, 2015 5:22 PM
To: Lamont, Brian A.
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] 32bit snort rpm

I have it installed on RHEL 5.11. 

See below:


[root at ...274... snort-2.9.7.6]# /var/tmp/snort-2.9.6/bin/snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.6 GRE (Build 285)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.7.4
           Using PCRE version: 8.37 2015-04-28
           Using ZLIB version: 1.2.3

[root at ...274... snort-2.9.7.6]# uname -a Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Aug 12 06:26:57 EDT 2014 i686 i686 i386 GNU/Linux


[root at ...274... snort-2.9.7.6]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.11 (Tikanga)


Hope this helps.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589... 


-----Original Message-----
From: Al Lewis (allewi)
Sent: Monday, September 28, 2015 7:34 PM
To: Lamont, Brian A.
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] 32bit snort rpm

Add "inlcude /usr/local/lib" to /etc/ld.so.conf.


[root at ...274... alewis]# ls -al /usr/local/lib/libpcap.so.1 lrwxrwxrwx 1 root root 16 Sep 28 18:49 /usr/local/lib/libpcap.so.1 -> libpcap.so.1.7.4


[root at ...274... alewis]# ldconfig -v /usr/local/lib | grep pcap
ldconfig: Can't stat inlcude /usr/local/lib: No such file or directory
        libpcap.so.1 -> libpcap.so.1.7.4
        libpcap.so.0.9.4 -> libpcap.so.0.9.4 [root at ...274... alewis]#


You should be able to continue after that.

I just did it with daq-2.0.5



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
Sent: Monday, September 28, 2015 6:57 PM
To: jlay at ...13475...; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] 32bit snort rpm

Building in its own area sounds great, but I'm still not getting passed the make.
.
.
config.status: creating pcap_set_tstamp_precision.3pcap
config.status: creating pcap_set_tstamp_type.3pcap
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing default-1 commands

[root at ...17307... libpcap-1.7.4]# make
gcc -fpic -I.  -I/usr/include/dbus-1.0 -I/usr/lib/dbus-1.0/include   -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -g -O2    -c ./pcap-dbus.c
./pcap-dbus.c: In function ‘dbus_write’:
./pcap-dbus.c:111: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function)
./pcap-dbus.c:111: error: (Each undeclared identifier is reported only once
./pcap-dbus.c:111: error: for each function it appears in.)
./pcap-dbus.c: In function ‘dbus_activate’:
./pcap-dbus.c:165: error: ‘DBUS_ERROR_INIT’ undeclared (first use in this function)
make: *** [pcap-dbus.o] Error 1




-----Original Message-----
From: James Lay [mailto:jlay at ...13475...]
Sent: Monday, September 28, 2015 2:24 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] 32bit snort rpm

On 2015-09-28 02:12 PM, Lamont, Brian A. wrote:
> daq is still needing 1.0.0 back to the beginning it looks like.
> 
> ------
> 
> checking for libpcap version >= "1.0.0"... no
> 
>  ERROR! Libpcap library version >= 1.0.0 not found.
> 
>  Get it from http://www.tcpdump.org [1]
> 
> -----------
> 
> So I found these options and ran it. But I'm not sure if it daq built 
> "without" libpcap-1.0.0, and instead, or WITH the 1.7.4 library in 
> /usr/local/lib, which seemed like a default but specified it anyway.
> Libpcap install config.log completed without errors. Do any of you see 
> an issue with the way this built?
> 
> ./configure --disable-pcap-module
> --with-libpcap-libraries=/usr/local/lib
> 
> FROM: Lamont, Brian A.
>  SENT: Monday, September 28, 2015 12:50 PM
>  TO: Lamont, Brian A.; Al Lewis (allewi); Russ Combs (rucombs); 
> Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Got it to go with -enable-dbus=no.
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 28, 2015 12:39 PM
>  TO: Al Lewis (allewi); Russ Combs (rucombs); Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: Re: [Snort-users] 32bit snort rpm
> 
> I uninstalled libpcap 1.0.0 using make uninstall. Please let me know 
> if this is complete clean removal. But during make install of version
> 1.7 it errored below. Anyone seen this before?
> 
> ./pcap-dbus.c: In function 'dbus_write':
> 
> ./pcap-dbus.c:111: error: 'DBUS_ERROR_INIT' undeclared (first use in 
> this function)
> 
> ./pcap-dbus.c:111: error: (Each undeclared identifier is reported only 
> once
> 
> ./pcap-dbus.c:111: error: for each function it appears in.)
> 
> ./pcap-dbus.c: In function 'dbus_activate':
> 
> ./pcap-dbus.c:165: error: 'DBUS_ERROR_INIT' undeclared (first use in 
> this function)
> 
> make: *** [pcap-dbus.o] Error 1
> 
> FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
>  SENT: Monday, September 28, 2015 9:46 AM
>  TO: Lamont, Brian A.; Russ Combs (rucombs); Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Try this..
> 
> Unistall libpcap.
> 
> Then get it from tcpdump.org
> 
> http://www.tcpdump.org/#latest-release [5]
> 
> Libpcap version 1.7 is available.
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...589...
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 28, 2015 12:21 PM
>  TO: Al Lewis (allewi); Russ Combs (rucombs); Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Tried that. And Redhat apparently does not have the 1.0.0 available, 
> which is odd given the "…years ago…" reference below. It may be part 
> of another channel we are not subscribed to so I will open a case with 
> them for that.
> 
> This system is receiving updates from RHN Classic or RHN Satellite.
> 
> Setting up Install Process
> 
> Package 14:libpcap-devel-0.9.4-15.el5.i386 already installed and 
> latest version
> 
> Nothing to do
> 
> FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
>  SENT: Monday, September 28, 2015 9:17 AM
>  TO: Lamont, Brian A.; Russ Combs (rucombs); Michael Steele
>  CC: snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> For redhat libpcap devel is:
> 
> "yum install libpcap-devel"
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...589...
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 28, 2015 12:00 PM
>  TO: Russ Combs (rucombs); Al Lewis (allewi); Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Ok I'm back at this again. To recap, I'm trying to build snort 32bit 
> on rhel 5.11, but running in to dependency problems. While starting a 
> rpmbuild of daq, I started seeing errors. Below is what ldd snort 
> shows on 64 linux. I found another site that suggested installing 
> libpcap-devel so that libpcap would build, then install daq, and then 
> snort. But I have not been able to find libpcap-devel source pkg to 
> download for Rhel 5 32bit.
> 
> Here is how my install of libpcap-1.0.0 finishes and appears
> 
> ----------------------------------------------------------
> 
>  /usr/bin/install -c -m 644 ./$i \
> 
>  /usr/local/share/man/man3/$i; done
> 
> ln /usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap \
> 
>  /usr/local/share/man/man3/pcap_datalink_val_to_description.3pcap
> 
> ln: creating hard link
> `/usr/local/share/man/man3/pcap_datalink_val_to_description.3pcap' to
> `/usr/local/share/man/man3/pcap_datalink_val_to_name.3pcap': File 
> exists
> 
> make: *** [install] Error 1
> 
> But my daq install errors unable to find libpcap
> 
> ---------------------------------------------------------
> 
> checking for libpcap version >= "1.0.0"... no
> 
>  ERROR! Libpcap library version >= 1.0.0 not found.
> 
>  Get it from http://www.tcpdump.org [1]
> 
> [root at ...17321... ~]# ldd /usr/local/bin/snort
> 
>  linux-vdso.so.1 => (0x00007fffb7ffd000)
> 
>  libdnet.1 => /usr/lib64/libdnet.1 (0x00002ba25825d000)
> 
>  libpcre.so.0 => /lib64/libpcre.so.0 (0x00002ba25846d000)
> 
>  libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ba25868c000)
> 
>  libuuid.so.1 => /lib64/libuuid.so.1 (0x00002ba2588a5000)
> 
>  libm.so.6 => /lib64/libm.so.6 (0x00002ba258aa9000)
> 
>  libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002ba258d2c000)
> 
>  libdl.so.2 => /lib64/libdl.so.2 (0x00002ba25907f000)
> 
>  libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00002ba259283000)
> 
>  libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00002ba2594a6000)
> 
>  libz.so.1 => /lib64/libz.so.1 (0x00002ba2596e1000)
> 
>  libpthread.so.0 => /lib64/libpthread.so.0 (0x00002ba2598f5000)
> 
>  libc.so.6 => /lib64/libc.so.6 (0x00002ba259b11000)
> 
>  /lib64/ld-linux-x86-64.so.2 (0x00002ba25803f000)
> 
> [root at ...17321... ~]# snort -V
> 
>  ,,_ -*> Snort! <*-
> 
>  o" )~ Version 2.9.7.0 GRE (Build 149)
> 
>  '''' By Martin Roesch & The Snort Team:
> http://www.snort.org/contact#team [6]
> 
>  Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
> 
>  Copyright (C) 1998-2013 Sourcefire, Inc., et al.
> 
>  USING LIBPCAP VERSION 1.6.2
> 
>  Using PCRE version: 6.6 06-Feb-2006
> 
>  Using ZLIB version: 1.2.3
> 
> FROM: Russ [mailto:rucombs at ...589...]
>  SENT: Tuesday, September 15, 2015 3:18 PM
>  TO: Lamont, Brian A.; Al Lewis (allewi); Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: Re: [Snort-users] 32bit snort rpm
> 
> On 9/15/15 5:43 PM, Lamont, Brian A. wrote:
> 
>> So I'm a failure at building from the source rpm of daq, and pretty 
>> darn new to building rpms, so my next attempt below is to build from 
>> source, and that didn't go well.
>> 
>> [root at ...17307... snort]# rpmbuild --rebuild daq-2.0.6-1.src.rpm
>> 
>> Installing daq-2.0.6-1.src.rpm
>> 
>> error: unpacking of archive failed on file
>> /usr/src/redhat/SOURCES/daq-2.0.6.tar.gz;55f88cd3: cpio: MD5 sum 
>> mismatch
>> 
>> error: daq-2.0.6-1.src.rpm cannot be installed
>> 
>> From source:
>> 
>> ----------------
>> 
>> [root at ...17307... snort]# cd daq-2.0.6
>> 
>> [root at ...17307... daq-2.0.6]# vi README
>> 
>> [root at ...17307... daq-2.0.6]# ./configure
>> 
>> checking for a BSD-compatible install... /usr/bin/install -c
>> 
>> checking whether build environment is sane... yes
>> 
>> checking for a thread-safe mkdir -p... /bin/mkdir -p
>> 
>> checking for gawk... gawk
>> 
>> .
>> 
>> . …omitted..
>> 
>> ..
>> 
>> checking libnetfilter_queue/libnetfilter_queue.h presence... no
>> 
>> checking for libnetfilter_queue/libnetfilter_queue.h... no
>> 
>> checking for linux/netfilter.h... (cached) yes
>> 
>> checking for pcap.h... (cached) yes
>> 
>> checking for pcap_lib_version... checking for pcap_lib_version in 
>> -lpcap... (cached) yes
>> 
>> checking for libpcap version >= "1.0.0"... no
>> 
>> ERROR! Libpcap library version >= 1.0.0 not found.
>> 
>> Get it from http://www.tcpdump.org [1]
>> 
>> Current version of libpcap - same version on 64bit hosts and they 
>> work fine.
>> 
>> ---------------------------------
>> 
>> [root at ...17307... daq-2.0.6]# rpm -qa |grep libpcap
>> 
>> libpcap-devel-0.9.4-15.el5
>> 
>> libpcap-0.9.4-15.el5
> 
> We started requiring 1.0.0+ years ago. On those 64-bit hosts, what 
> does ldd snort show? Is that where rpm installed those? You can also 
> check snort -V to see the version.
> 
> FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
>  SENT: Tuesday, September 15, 2015 12:05 PM
>  TO: Lamont, Brian A.; Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> You should be able to build from source but you need the daq installed 
> first.
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...589...
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Tuesday, September 15, 2015 10:39 AM
>  TO: Al Lewis (allewi); Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> I am needing to install snort on approx.. 25 32bit RHEL (REDHAT LINUX)
> 5 servers
> 
> FROM: Al Lewis (allewi) [mailto:allewi at ...589...]
>  SENT: Monday, September 14, 2015 7:10 PM
>  TO: Lamont, Brian A.; Michael Steele; 
> snort-users at lists.sourceforge.net
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Are you trying to install on windows or *nix?
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...589...
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 14, 2015 7:00 PM
>  TO: Michael Steele; snort-users at lists.sourceforge.net
>  SUBJECT: Re: [Snort-users] 32bit snort rpm
> 
> But I should be able to build from source, at least according to one 
> of the README files, correct? I have started one build after 
> installing the libpcap and other prereqs, and it started to take off 
> and look like a build, then failed for the error below. Where can I 
> find the sfbpf library?
> 
> [root at ...17307... snort]# rpmbuild -ta snort-2.9.7.5.tar.gz
> 
> Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.9801
> 
> + umask 022
> 
> + cd /usr/src/redhat/BUILD
> 
> + LANG=C
> 
> + export LANG
> 
> + unset DISPLAY
> 
> + cd /usr/src/redhat/BUILD
> 
> + rm -rf snort-2.9.7.5
> 
> + /usr/bin/gzip -dc /var/tmp/snort/snort-2.9.7.5.tar.gz
> 
> .
> 
> ..
> 
> checking for INADDR_NONE... yes
> 
> checking for __FUNCTION__... yes
> 
> checking for sfbpf_compile in -lsfbpf... no
> 
>  ERROR! sfbpf library not found, go get it from
> 
>  http://www.snort.org/ [7].
> 
> error: Bad exit status from /var/tmp/rpm-tmp.9801 (%build)
> 
> RPM build errors:
> 
>  Bad exit status from /var/tmp/rpm-tmp.9801 (%build)
> 
> FROM: Michael Steele [mailto:michaels at ...9077...]
>  SENT: Monday, September 14, 2015 3:37 PM
>  TO: Lamont, Brian A.
>  SUBJECT: RE: [Snort-users] 32bit snort rpm
> 
> Snort is 32bit for Window, but the remainder of the support programs 
> are 64bit. There are 32bit and 64bit installation tutorials for 
> Windows.
> 
> Kindest regards,
> 
> Michael...
> 
> WINSNORT.com Management Team Member
> 
> --
> 
> ****************** Established ~ 2001 *******************
> 
> * Visit Us @ http://www.winsnort.com [8] *
> 
> * ~~ FREE WinIDS Snort installation guides ~~ *
> 
> * ~~ FREE support forums ~~ *
> 
> * Snort: Open Source Network IDS - http://www.snort.org [9] *
> 
> *********************************************************
> 
> FROM: Lamont, Brian A. [mailto:Brian.Lamont at ...17273...]
>  SENT: Monday, September 14, 2015 6:22 PM
>  TO: snort-users at lists.sourceforge.net
>  SUBJECT: [Snort-users] 32bit snort rpm
> 
> I am needing to install snort on approx.. 25 32bit Rhel 5 servers. I 
> see there is a 64bit rpm on the website. Is there a 32bit package 
> available?
> 
> _BRIAN LAMONT_
> 
> UNIX SYSTEMS ADMIN
> 
> DESK:  480 586-9986
> 
> CELL:     480 209-8751
> 
> brian.lamont at ...17273...

If this was me, at this point, I would just create snort and it's dependencies in their own environment(with a little fudging) like so:

libpcap:
snag latest at http://www.tcpdump.org/release/libpcap-1.7.4.tar.gz
./configure --prefix=/opt/snortbuild

sudo ln -s /opt/snortbuild/bin/pcap-config /usr/sbin/


For some reason daq has issues with finding libpcap.so.1 so:
(as root) echo "/opt/snortbuild/lib" > /etc/ld.so.conf.d/snort.conf (or symlink it to your lib path)

libdnet:
snag latest at
http://pkgs.fedoraproject.org/repo/pkgs/libdnet/libdnet-1.12.tgz/9253ef6de1b5e28e9c9a62b882e44cc9/libdnet-1.12.tgz
and ./configure --prefix=/opt/snortbuild

sudo ln -s /opt/snortbuild/bin/dnet-config /usr/bin/


daq:
snag latest at https://www.snort.org/downloads/snort/daq-2.0.6.tar.gz
./configure --prefix=/opt/snort
--with-libpcap-includes=/opt/snortbuild/include
--with-libpcap-libraries=/opt/snortbuild/lib
--with-dnet-includes=/opt/snortbuild/include
--with-dnet-libraries=/opt/snortbuild/lib

sudo ln -s /opt/snortbuild/bin/daq-modules-config /usr/bin/


snort:
snag at https://www.snort.org/downloads/snort/snort-2.9.7.5.tar.gz and configure with ./configure --prefix=/opt/snort --enable-sourcefire --with-daq-includes=/opt/snortbuild/include
--with-daq-libraries=/opt/snortbuild/lib
--with-dnet-includes=/opt/snortbuild/include
--with-dnet-libraries=/opt/snortbuild/lib
--with-libpcap-includes=/opt/snortbuild/include
--with-libpcap-libraries=/opt/snortbuild/lib

snort refuses to find libdnet.1 so you'll need to make a symlink to your lib path such as: sudo ln -s /opt/snortbuild/lib/libdnet.1.0.1
/lib/i386-linux-gnu/libdnet.1

vbox:/opt/snort/bin$ ldd snort
	linux-gate.so.1 =>  (0xb7759000)
	libdnet.1 => /lib/i386-linux-gnu/libdnet.1 (0xb772c000)
	libpcre.so.3 => /lib/i386-linux-gnu/libpcre.so.3 (0xb76ba000)
	libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb766c000)
	libcrypto.so.1.0.0 => /lib/i386-linux-gnu/libcrypto.so.1.0.0
(0xb7498000)
	libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xb7493000)
	libsfbpf.so.0 => /opt/snortbuild/lib/libsfbpf.so.0 (0xb746b000)
	libpcap.so.1 => /opt/snortbuild/lib/libpcap.so.1 (0xb7425000)
	libz.so.1 => /lib/i386-linux-gnu/libz.so.1 (0xb7409000)
	libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb73ec000)
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7231000)
	/lib/ld-linux.so.2 (0xb775a000)

vbox:/opt/snort/bin$ ./snort --version

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.7.5 GRE (Build 262)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/contact#team
            Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.7.4
            Using PCRE version: 8.35 2014-04-04
            Using ZLIB version: 1.2.8

At this point if you want to push this out as a package you can tar.bz2 /opt/snortbuild and /opt/snort as well as the lib symlinks and away you go.  Hope that helps.

James

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list