[Snort-users] Ubuntu 18 and so rules error

Y M snort at outlook.com
Tue Jun 19 22:30:35 EDT 2018


Same results over here with malware-other.so.

ERROR: Failed to load /usr/local/snort/lib/snort_dynamicrules/malware-other.so: /usr/local/snort/lib/snort_dynamicrules/malware-other.so: undefined symbol: sin

$ ldd /usr/local/snort/lib/snort_dynamicrules/malware-other.so
linux-vdso.so.1 (0x00007ffd4f9fe000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa326064000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa326781000)

..and ldd for protocol-dns.so for comparison sake.

$ ldd /usr/local/snort/lib/snort_dynamicrules/protocol-dns.so
linux-vdso.so.1 (0x00007ffe5c5ec000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f08aaf9c000)
/lib64/ld-linux-x86-64.so.2 (0x00007f08ab5bf000)

YM

________________________________
From: Snort-users <snort-users-bounces at lists.snort.org> on behalf of Russ via Snort-users <snort-users at lists.snort.org>
Sent: Wednesday, June 20, 2018 5:19 AM
To: jlay at slave-tothe-box.net; Patrick Mullen (pamullen); Snort
Subject: Re: [Snort-users] Ubuntu 18 and so rules error

Hey James,

Can you send the ldd output for protocol-dns.so?

Thanks
Russ

On 6/19/18 8:29 PM, James Lay wrote:

Alas I got the same results:

An error occurred: Loading dynamic detection library /opt/snort/lib/snort_dynamicrules/protocol-dns.so... ERROR: Failed to load /opt/snort/lib/snort_dynamicrules/protocol-dns.so: /opt/snort/lib/snort_dynamicrules/protocol-dns.so: undefined symbol: log

file info:

-rwxr-xr-x 1 root root 445824 Jun 18 11:28 /opt/snort/lib/snort_dynamicrules/protocol-dns.so

My snort was compiled like so:

./configure --prefix=/opt/snort --enable-non-ether-decoders --enable-sourcefire --enable-shared-rep --enable-control-socket --enable-file-inspect --with-daq-includes=/opt/daq/include --with-daq-libraries=/opt/daq/lib --with-dnet-includes=/opt/libdnet/include --with-dnet-libraries=/opt/libdnet/lib

libdnet like so:

./configure --prefix=/opt/libdnet CFLAGS=-fPIC -g -O2

and daq like so:

./configure --prefix=/opt/daq

That info might help.  If you'd like and have the time Patrick ping me off list and I can get you ssh access and you can go to town...thank you!

James

On 2018-06-19 09:57, James Lay wrote:

Thanks Patrick...will test on that dev box today and report my findings.

James

On 2018-06-18 13:25, Patrick Mullen (pamullen) wrote:

James, Y M, and anyone else experiencing this issue.



We've made a build change from feedback given to me by Russ, so please report back after our next release, which should be some time tomorrow, Tuesday, 19 June, and let me know if the issue has been resolved.  Unfortunately, I don't have the issue myself so I can't test it, but it should fix it.  :crosses fingers:  Thanks for your patience and assistance.





Thanks,



~Patrick





From: "Patrick Mullen (pamullen)" <pamullen at cisco.com><mailto:pamullen at cisco.com>
Date: Friday, June 15, 2018 at 1:13 PM
To: "jlay at slave-tothe-box.net"<mailto:jlay at slave-tothe-box.net> <jlay at slave-tothe-box.net><mailto:jlay at slave-tothe-box.net>
Cc: "snort-users at lists.snort.org"<mailto:snort-users at lists.snort.org> <snort-users at lists.snort.org><mailto:snort-users at lists.snort.org>
Subject: Re: [Snort-users] Ubuntu 18 and so rules error



James,



I'm at a loss.  Let me google and think about this and get back to you.  Maybe it's a a versioning issue?



Anyone else have/seen this issue?





Thanks,



~Patrick



From: James Lay <jlay at slave-tothe-box.net><mailto:jlay at slave-tothe-box.net>
Reply-To: "jlay at slave-tothe-box.net"<mailto:jlay at slave-tothe-box.net> <jlay at slave-tothe-box.net><mailto:jlay at slave-tothe-box.net>
Date: Thursday, June 14, 2018 at 5:44 PM
To: "Patrick Mullen (pamullen)" <pamullen at cisco.com><mailto:pamullen at cisco.com>
Cc: "snort-users at lists.snort.org"<mailto:snort-users at lists.snort.org> <snort-users at lists.snort.org><mailto:snort-users at lists.snort.org>
Subject: Re: [Snort-users] Ubuntu 18 and so rules error



Yes....of note I am not compiling the rules, just using pulled pork to do it's thing.

James

On 2018-06-14 08:50, Patrick Mullen (pamullen) wrote:

To be clear, my example code ran first try?  Does snort continue to throw that error?





~Patrick



From: James Lay <jlay at slave-tothe-box.net><mailto:jlay at slave-tothe-box.net>



Ran like a champ:

<snip screenshot>

now we're having some fun!

James

On 2018-06-13 09:20, Patrick Mullen (pamullen) wrote:

James,



Here's a quick test.  If this doesn't work, then install whatever google tells you and it should fix the snort loading problem.  If it does, then I'm a little confused and we'll have to look into this further.











_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette







_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180620/6200fcbe/attachment.html>


More information about the Snort-users mailing list