[Snort-users] Ubuntu 18 and so rules error

Russ rucombs at cisco.com
Tue Jun 19 23:05:54 EDT 2018


Yeah, libm.so.6 is missing.  If this is blocking you, adding log(1); to 
main() in snort.c and building should get them to load.

On 6/19/18 10:30 PM, Y M via Snort-users wrote:
> Same results over here with malware-other.so.
>
> ERROR: Failed to load 
> /usr/local/snort/lib/snort_dynamicrules/malware-other.so: 
> /usr/local/snort/lib/snort_dynamicrules/malware-other.so: undefined 
> symbol: sin
>
> $ ldd /usr/local/snort/lib/snort_dynamicrules/malware-other.so
> linux-vdso.so.1 (0x00007ffd4f9fe000)
> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa326064000)
> /lib64/ld-linux-x86-64.so.2 (0x00007fa326781000)
>
> ..and ldd for protocol-dns.so for comparison sake.
>
> $ ldd /usr/local/snort/lib/snort_dynamicrules/protocol-dns.so
> linux-vdso.so.1 (0x00007ffe5c5ec000)
> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f08aaf9c000)
> /lib64/ld-linux-x86-64.so.2 (0x00007f08ab5bf000)
>
> YM
>
> ------------------------------------------------------------------------
> *From:* Snort-users <snort-users-bounces at lists.snort.org> on behalf of 
> Russ via Snort-users <snort-users at lists.snort.org>
> *Sent:* Wednesday, June 20, 2018 5:19 AM
> *To:* jlay at slave-tothe-box.net; Patrick Mullen (pamullen); Snort
> *Subject:* Re: [Snort-users] Ubuntu 18 and so rules error
> Hey James,
>
> Can you send the ldd output for protocol-dns.so?
>
> Thanks
> Russ
>
> On 6/19/18 8:29 PM, James Lay wrote:
>>
>> Alas I got the same results:
>>
>> An error occurred: Loading dynamic detection library 
>> /opt/snort/lib/snort_dynamicrules/protocol-dns.so... ERROR: Failed to 
>> load /opt/snort/lib/snort_dynamicrules/protocol-dns.so: 
>> /opt/snort/lib/snort_dynamicrules/protocol-dns.so: undefined symbol: log
>>
>> file info:
>>
>> -rwxr-xr-x 1 root root 445824 Jun 18 11:28 
>> /opt/snort/lib/snort_dynamicrules/protocol-dns.so
>>
>> My snort was compiled like so:
>>
>> ./configure --prefix=/opt/snort --enable-non-ether-decoders 
>> --enable-sourcefire --enable-shared-rep --enable-control-socket 
>> --enable-file-inspect --with-daq-includes=/opt/daq/include 
>> --with-daq-libraries=/opt/daq/lib 
>> --with-dnet-includes=/opt/libdnet/include 
>> --with-dnet-libraries=/opt/libdnet/lib
>>
>> libdnet like so:
>>
>> ./configure --prefix=/opt/libdnet CFLAGS=-fPIC -g -O2
>>
>> and daq like so:
>>
>> ./configure --prefix=/opt/daq
>>
>> That info might help.  If you'd like and have the time Patrick ping 
>> me off list and I can get you ssh access and you can go to 
>> town...thank you!
>>
>> James
>>
>> On 2018-06-19 09:57, James Lay wrote:
>>
>>> Thanks Patrick...will test on that dev box today and report my findings.
>>>
>>> James
>>>
>>> On 2018-06-18 13:25, Patrick Mullen (pamullen) wrote:
>>>
>>>     James, Y M, and anyone else experiencing this issue.
>>>
>>>     We've made a build change from feedback given to me by Russ, so
>>>     please report back after our next release, which should be some
>>>     time tomorrow, Tuesday, 19 June, and let me know if the issue
>>>     has been resolved.  Unfortunately, I don't have the issue myself
>>>     so I can't test it, but it should fix it.  :crosses fingers: 
>>>     Thanks for your patience and assistance.
>>>
>>>     Thanks,
>>>
>>>     ~Patrick
>>>
>>>     *From: *"Patrick Mullen (pamullen)" <pamullen at cisco.com>
>>>     <mailto:pamullen at cisco.com>
>>>     *Date: *Friday, June 15, 2018 at 1:13 PM
>>>     *To: *"jlay at slave-tothe-box.net"
>>>     <mailto:jlay at slave-tothe-box.net> <jlay at slave-tothe-box.net>
>>>     <mailto:jlay at slave-tothe-box.net>
>>>     *Cc: *"snort-users at lists.snort.org"
>>>     <mailto:snort-users at lists.snort.org>
>>>     <snort-users at lists.snort.org> <mailto:snort-users at lists.snort.org>
>>>     *Subject: *Re: [Snort-users] Ubuntu 18 and so rules error
>>>
>>>     James,
>>>
>>>     I'm at a loss.  Let me google and think about this and get back
>>>     to you.  Maybe it's a a versioning issue?
>>>
>>>     Anyone else have/seen this issue?
>>>
>>>     Thanks,
>>>
>>>     ~Patrick
>>>
>>>     *From: *James Lay <jlay at slave-tothe-box.net>
>>>     <mailto:jlay at slave-tothe-box.net>
>>>     *Reply-To: *"jlay at slave-tothe-box.net"
>>>     <mailto:jlay at slave-tothe-box.net> <jlay at slave-tothe-box.net>
>>>     <mailto:jlay at slave-tothe-box.net>
>>>     *Date: *Thursday, June 14, 2018 at 5:44 PM
>>>     *To: *"Patrick Mullen (pamullen)" <pamullen at cisco.com>
>>>     <mailto:pamullen at cisco.com>
>>>     *Cc: *"snort-users at lists.snort.org"
>>>     <mailto:snort-users at lists.snort.org>
>>>     <snort-users at lists.snort.org> <mailto:snort-users at lists.snort.org>
>>>     *Subject: *Re: [Snort-users] Ubuntu 18 and so rules error
>>>
>>>     Yes....of note I am not compiling the rules, just using pulled
>>>     pork to do it's thing.
>>>
>>>     James
>>>
>>>     On 2018-06-14 08:50, Patrick Mullen (pamullen) wrote:
>>>
>>>         To be clear, my example code ran first try?  Does snort
>>>         continue to throw that error?
>>>
>>>         ~Patrick
>>>
>>>         *From: *James Lay <jlay at slave-tothe-box.net>
>>>         <mailto:jlay at slave-tothe-box.net>
>>>
>>>         Ran like a champ:
>>>
>>>         <snip screenshot>
>>>
>>>         now we're having some fun!
>>>
>>>         James
>>>
>>>         On 2018-06-13 09:20, Patrick Mullen (pamullen) wrote:
>>>
>>>             James,
>>>
>>>             Here's a quick test.  If this doesn't work, then install
>>>             whatever google tells you and it should fix the snort
>>>             loading problem.  If it does, then I'm a little confused
>>>             and we'll have to look into this further.
>>>
>>>
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.snort.org/mailman/listinfo/snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest 
>>> Snort news!
>>>
>>> Please follow these rules: 
>>> https://snort.org/faq/what-is-the-mailing-list-etiquette 
>>> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.snort.org <mailto:Snort-users at lists.snort.org>
>> Go to this URL to change user options or unsubscribe:
>> https://lists.snort.org/mailman/listinfo/snort-users
>>
>> Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>>
>> Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180619/c868c7e7/attachment.html>


More information about the Snort-users mailing list