[Snort-users] Ubuntu 18 and so rules error

James Lay jlay at slave-tothe-box.net
Thu Jun 14 17:45:15 EDT 2018


Good info thanks YM! 

James 

On 2018-06-14 15:00, Y M via Snort-users wrote:

> Expanding the troubleshooting surface here, not hijacking the thread. I get the below error after a successful build: 
> 
> # /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -T
> 
> Loading all dynamic detection libs from /usr/local/snort/lib/snort_dynamicrules... 
> 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/malware-cnc.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/browser-ie.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/server-webapp.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/pua-p2p.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/protocol-other.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/netbios.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/protocol-tftp.so... done Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/malware-other.so...  
> ERROR: Failed to load /usr/local/snort/lib/snort_dynamicrules/malware-other.so: /usr/local/snort/lib/snort_dynamicrules/malware-other.so: undefined symbol: sin 
> Fatal Error, Quitting.. 
> 
> $ ldd /usr/local/snort/bin/snort 
> 
> linux-vdso.so.1 (0x00007ffc4c4bf000) 
> libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 (0x00007f62f0f52000) 
> libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f62f0ce0000) 
> libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f62f089d000) 
> libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f62f0699000) 
> libnetfilter_queue.so.1 => /usr/lib/x86_64-linux-gnu/libnetfilter_queue.so.1 (0x00007f62f0492000) 
> libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007f62f026c000) 
> libpcap.so.0.8 => /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007f62f002b000) 
> libdumbnet.so.1 => /usr/lib/x86_64-linux-gnu/libdumbnet.so.1 (0x00007f62efe1a000) 
> libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f62efbfd000) 
> liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f62ef9d7000) 
> libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f62ef7b8000) 
> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f62ef3c7000) 
> /lib64/ld-linux-x86-64.so.2 (0x00007f62f239a000) 
> libnfnetlink.so.0 => /usr/lib/x86_64-linux-gnu/libnfnetlink.so.0 (0x00007f62ef1c0000) libmnl.so.0 => /lib/x86_64-linux-gnu/libmnl.so.0 (0x00007f62eefba000) 
> 
> Dependencies: 
> # apt-get install flex bison gcc make cmake libtool autoconf libpcap-dev libpcre3-dev liblzma-dev zlib1g-dev libnetfilter-queue-dev libdumbnet-dev openssl libssl-dev libnghttp2-dev pkg-config uuid-dev 
> 
> LuaJIT 2.0.5 installed form source. 
> 
> Configure: 
> # ./configure --prefix=/usr/local/snort --enable-sourcefire --enable-file-inspect --enable-large-pcap --enable-non-ether-decoders --enable-open-appid
> 
> # uname -a 
> Linux dev 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
> 
> On a side note, building Snort 2.9.11.1 with libssl-dev (1.1.0g) and --enable-open-appid will fail (errors attached). Had to downgrade to libssl1.0-dev (1.0.2n) to get the build going. 
> 
> Thanks. 
> YM 
> 
> -------------------------
> 
> FROM: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Patrick Mullen (pamullen) via Snort-users <snort-users at lists.snort.org>
> SENT: Thursday, June 14, 2018 5:50 PM
> TO: jlay at slave-tothe-box.net
> CC: snort-users at lists.snort.org
> SUBJECT: Re: [Snort-users] Ubuntu 18 and so rules error 
> 
> To be clear, my example code ran first try?  Does snort continue to throw that error? 
> 
> ~Patrick 
> 
> FROM: James Lay <jlay at slave-tothe-box.net> 
> 
> Ran like a champ: 
> 
> <snip screenshot> 
> 
> now we're having some fun! 
> 
> James 
> 
> On 2018-06-13 09:20, Patrick Mullen (pamullen) wrote:
> 
>> James, 
>> 
>> Here's a quick test.  If this doesn't work, then install whatever google tells you and it should fix the snort loading problem.  If it does, then I'm a little confused and we'll have to look into this further.
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180614/26eff92f/attachment.html>


More information about the Snort-users mailing list