[Snort-users] Ubuntu 18 and so rules error

James Lay jlay at slave-tothe-box.net
Tue Jun 19 22:24:26 EDT 2018


Included....adding -r -d gives some more detail:

	linux-vdso.so.1 (0x00007ffe1538f000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
(0x00007f9e03f41000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f9e04564000)
undefined symbol: freeRuleData	(./protocol-dns.so)
undefined symbol: byteTest	(./protocol-dns.so)
undefined symbol: checkFlow	(./protocol-dns.so)
undefined symbol: checkCursor	(./protocol-dns.so)
undefined symbol: allocRuleData	(./protocol-dns.so)
undefined symbol: RegisterRules	(./protocol-dns.so)
undefined symbol: contentMatch	(./protocol-dns.so)
undefined symbol: getBuffer	(./protocol-dns.so)
undefined symbol: storeRuleData	(./protocol-dns.so)
undefined symbol: DumpRules	(./protocol-dns.so)
undefined symbol: log	(./protocol-dns.so)
undefined symbol: pcreMatch	(./protocol-dns.so)
undefined symbol: pow	(./protocol-dns.so)
undefined symbol: getRuleData	(./protocol-dns.so)

James

On Tue, 2018-06-19 at 22:19 -0400, Russ wrote:
> 
>     Hey James,
> 
>     
> 
>     Can you send the ldd output for protocol-dns.so?
> 
>     
> 
>     Thanks
> 
>     Russ
> 
>     
> 
>     On 6/19/18 8:29 PM, James Lay wrote:
> 
>     
>     
> >       
> >       Alas I got the same results:
> >       An error occurred: Loading dynamic detection library
> >         /opt/snort/lib/snort_dynamicrules/protocol-dns.so... ERROR:
> >         Failed to load
> >         /opt/snort/lib/snort_dynamicrules/protocol-dns.so:
> >         /opt/snort/lib/snort_dynamicrules/protocol-dns.so:
> > undefined
> >         symbol: log
> >       file info:
> >       -rwxr-xr-x 1 root root 445824 Jun 18 11:28
> >         /opt/snort/lib/snort_dynamicrules/protocol-dns.so
> >       My snort was compiled like so:
> >       ./configure --prefix=/opt/snort --enable-non-ether-decoders
> >         --enable-sourcefire --enable-shared-rep --enable-control-
> > socket
> >         --enable-file-inspect --with-daq-includes=/opt/daq/include
> >         --with-daq-libraries=/opt/daq/lib
> >         --with-dnet-includes=/opt/libdnet/include
> >         --with-dnet-libraries=/opt/libdnet/lib
> >       libdnet like so:
> >       ./configure --prefix=/opt/libdnet CFLAGS=-fPIC -g -O2
> >       and daq like so:
> >       ./configure --prefix=/opt/daq
> >       That info might help.  If you'd like and have the time
> > Patrick
> >         ping me off list and I can get you ssh access and you can
> > go to
> >         town...thank you!
> >       James
> >       On 2018-06-19 09:57, James Lay wrote:
> >       
> > >         Thanks Patrick...will test on that dev box today and
> > > report
> > >           my findings.
> > >         James
> > >         On 2018-06-18 13:25, Patrick Mullen (pamullen) wrote:
> > >         
> > > >           
> > > >             James, Y M, and anyone else
> > > >               experiencing this issue.
> > > >              
> > > >             We've made a build change from feedback
> > > >               given to me by Russ, so please report back after
> > > > our next
> > > >               release, which should be some time tomorrow,
> > > > Tuesday, 19
> > > >               June, and let me know if the issue has been
> > > > resolved. 
> > > >               Unfortunately, I don't have the issue myself so I
> > > > can't
> > > >               test it, but it should fix it.  :crosses
> > > > fingers:  Thanks
> > > >               for your patience and assistance.
> > > >              
> > > >              
> > > >             Thanks,
> > > >              
> > > >             ~Patrick
> > > >              
> > > >              
> > > >             
> > > >               From: "Patrick
> > > >                   Mullen (pamullen)" <pamullen at cisco.com>
> > > > 
> > > >                   Date: Friday, June 15, 2018 at 1:13
> > > >                   PM
> > > > 
> > > >                   To: "jlay at slave-tothe-box.net"
> > > >                   <jlay at slave-tothe-box.net>
> > > > 
> > > >                   Cc: "snort-users at lists.snort.org"
> > > >                   <snort-users at lists.snort.org>
> > > > 
> > > >                   Subject: Re: [Snort-users] Ubuntu 18
> > > >                   and so rules error
> > > >             
> > > >             
> > > >                
> > > >             
> > > >             James,
> > > >              
> > > >             I'm at a loss.  Let me google and think
> > > >               about this and get back to you.  Maybe it's a a
> > > > versioning
> > > >               issue?
> > > >              
> > > >             Anyone else have/seen this issue?
> > > >              
> > > >              
> > > >             Thanks,
> > > >              
> > > >             ~Patrick
> > > >              
> > > >             
> > > >               From: James Lay
> > > >                   <jlay at slave-tothe-box.net>
> > > > 
> > > >                   Reply-To: "jlay at slave-tothe-box.net"
> > > >                   <jlay at slave-tothe-box.net>
> > > > 
> > > >                   Date: Thursday, June 14, 2018 at
> > > >                   5:44 PM
> > > > 
> > > >                   To: "Patrick Mullen (pamullen)"
> > > >                   <pamullen at cisco.com>
> > > > 
> > > >                   Cc: "snort-users at lists.snort.org"
> > > >                   <snort-users at lists.snort.org>
> > > > 
> > > >                   Subject: Re: [Snort-users] Ubuntu 18
> > > >                   and so rules error
> > > >             
> > > >             
> > > >                
> > > >             
> > > >             Yes....of note I am not compiling the rules, just
> > > > using
> > > >               pulled pork to do it's thing.
> > > >             James
> > > >             On 2018-06-14 08:50, Patrick Mullen (pamullen)
> > > > wrote:
> > > >             
> > > > >               
> > > > >                 To be clear, my example
> > > > >                   code ran first try?  Does snort continue to
> > > > > throw that
> > > > >                   error?
> > > > >                  
> > > > >                  
> > > > >                 ~Patrick
> > > > >                  
> > > > >                 
> > > > >                   From: James Lay
> > > > >                       <jlay at slave-tothe-box.net>
> > > > >                 
> > > > >                 
> > > > >                    
> > > > >                 
> > > > >                 Ran like a champ:
> > > > >                 <snip screenshot>
> > > > >                 now we're having some fun!
> > > > >                 James
> > > > >                 On 2018-06-13 09:20, Patrick Mullen
> > > > > (pamullen) wrote:
> > > > >                 
> > > > > >                   
> > > > > >                     James,
> > > > > >                      
> > > > > >                     Here's a quick test.  If this doesn't
> > > > > >                       work, then install whatever google
> > > > > > tells you and
> > > > > >                       it should fix the snort loading
> > > > > > problem.  If it
> > > > > >                       does, then I'm a little confused and
> > > > > > we'll have to
> > > > > >                       look into this further.
> > > > > >                   
> > > > > >                 
> > > > > 
> > > > >                 
> > > > >                    
> > > > >                 
> > > > >               
> > > > >             
> > > > 
> > > >              
> > > >             
> > > >                
> > > >             
> > > >           
> > > >         
> > > 
> > >          
> > >          
> > >         
> > > 
> > >         _______________________________________________
> > > 
> > >           Snort-users mailing list
> > > 
> > >           Snort-users at lists.snort.org
> > > 
> > >           Go to this URL to change user options or unsubscribe:
> > > 
> > >           https://lists.snort.org/mailman/listinfo/snort-users
> > > 
> > >           
> > > 
> > >           Please visit http://blog.snort.org to stay
> > >           current on all the latest Snort news!
> > > 
> > >           
> > > 
> > >           Please follow these rules: https://snort.org/faq/what-i
> > > s-the-mailing-list-etiquette
> > >       
> > 
> >        
> >        
> >       
> > 
> >       
> >       
> > 
> >       _______________________________________________Snort-users
> > mailing listSnort-users at lists.snort.orgGo to this URL to change
> > user options or unsubscribe:https://lists.snort.org/mailman/listinf
> > o/snort-users
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!
> > Please follow these rules: https://snort.org/faq/what-is-the-mailin
> > g-list-etiquette
> > 
> >     
> 
>     
> 
>   
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180619/25f2879d/attachment.html>


More information about the Snort-users mailing list