[Snort-users] Ubuntu 18 and so rules error

James Lay jlay at slave-tothe-box.net
Wed Jun 20 05:43:04 EDT 2018


Here's what I have:

lrwxrwxrwx 1 root root 12 Jun  3 12:35 libm.so.6 -> libm-2.27.so

James

On Tue, 2018-06-19 at 23:05 -0400, Russ via Snort-users wrote:
> 
>     Yeah, libm.so.6 is missing.  If this is blocking you, adding
> log(1);
>     to main() in snort.c and building should get them to load.
> 
>     
> 
>     On 6/19/18 10:30 PM, Y M via
>       Snort-users wrote:
> 
>     
> 
>     
> >       
> >        P {margin-top:0;margin-bottom:0;} 
> >       
> >         Same results over here with
> >           malware-other.so.
> >       
> >         
> > 
> >       
> >       
> >         ERROR: Failed to load
> >           /usr/local/snort/lib/snort_dynamicrules/malware-other.so:
> >           /usr/local/snort/lib/snort_dynamicrules/malware-other.so:
> >           undefined symbol: sin
> > 
> >       
> >       
> >         
> > 
> >       
> >       
> >         $ ldd
> >           /usr/local/snort/lib/snort_dynamicrules/malware-other.so
> > 
> >         
> >         linux-vdso.so.1 (0x00007ffd4f9fe000)
> > 
> >         
> >         libc.so.6 =>
> >             /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa326064000)
> > 
> >         
> >         /lib64/ld-linux-x86-64.so.2 (0x00007fa326781000)
> > 
> >       
> >       
> >         
> > 
> >         
> >       
> >         ..and ldd
> >             for protocol-dns.so for comparison sake.
> > 
> >         
> >       
> >         
> > 
> >         
> >       
> >         $ ldd
> >             /usr/local/snort/lib/snort_dynamicrules/protocol-dns.so
> >             
> > 
> >           
> >           linux-vdso.so.1 (0x00007ffe5c5ec000)
> > 
> >           
> >           libc.so.6 =>
> >               /lib/x86_64-linux-gnu/libc.so.6 (0x00007f08aaf9c000)
> > 
> >           
> >           /lib64/ld-linux-x86-64.so.2 (0x00007f08ab5bf000)
> > 
> >         
> >       
> >         
> > 
> >       
> >       
> >         YM
> >       
> >         
> > 
> >       
> >       
> >       From:
> >           Snort-users <snort-users-bounces at lists.snort.org> on
> >           behalf of Russ via Snort-users
> >           <snort-users at lists.snort.org>
> > 
> >           Sent: Wednesday, June 20, 2018 5:19 AM
> > 
> >           To: jlay at slave-tothe-box.net; Patrick Mullen
> >           (pamullen); Snort
> > 
> >           Subject: Re: [Snort-users] Ubuntu 18 and so rules error
> >          
> >       
> >       
> >       Hey James,
> > 
> >         
> > 
> >         Can you send the ldd output for protocol-dns.so?
> > 
> >         
> > 
> >         Thanks
> > 
> >         Russ
> > 
> >         
> > 
> >         On 6/19/18 8:29 PM, James Lay
> >           wrote:
> > 
> >         
> >         
> > >           Alas I got the same results:
> > >           An error occurred: Loading dynamic detection library
> > >             /opt/snort/lib/snort_dynamicrules/protocol-dns.so...
> > > ERROR:
> > >             Failed to load
> > >             /opt/snort/lib/snort_dynamicrules/protocol-dns.so:
> > >             /opt/snort/lib/snort_dynamicrules/protocol-dns.so:
> > > undefined
> > >             symbol: log
> > >           file info:
> > >           -rwxr-xr-x 1 root root 445824 Jun 18 11:28
> > >             /opt/snort/lib/snort_dynamicrules/protocol-dns.so
> > >           My snort was compiled like so:
> > >           ./configure --prefix=/opt/snort --enable-non-ether-
> > > decoders
> > >             --enable-sourcefire --enable-shared-rep
> > >             --enable-control-socket --enable-file-inspect
> > >             --with-daq-includes=/opt/daq/include
> > >             --with-daq-libraries=/opt/daq/lib
> > >             --with-dnet-includes=/opt/libdnet/include
> > >             --with-dnet-libraries=/opt/libdnet/lib
> > >           libdnet like so:
> > >           ./configure --prefix=/opt/libdnet CFLAGS=-fPIC -g -O2
> > >           and daq like so:
> > >           ./configure --prefix=/opt/daq
> > >           That info might help.  If you'd like and have the time
> > >             Patrick ping me off list and I can get you ssh access
> > > and
> > >             you can go to town...thank you!
> > >           James
> > >           On 2018-06-19 09:57, James Lay wrote:
> > >           
> > > >             Thanks Patrick...will test on that dev box today
> > > > and
> > > >               report my findings.
> > > >             James
> > > >             On 2018-06-18 13:25, Patrick Mullen (pamullen)
> > > > wrote:
> > > >             
> > > > >               
> > > > >                 James, Y M, and anyone else
> > > > >                   experiencing this issue.
> > > > >                  
> > > > >                 We've made a build change from
> > > > >                   feedback given to me by Russ, so please
> > > > > report back
> > > > >                   after our next release, which should be
> > > > > some time
> > > > >                   tomorrow, Tuesday, 19 June, and let me know
> > > > > if the
> > > > >                   issue has been resolved.  Unfortunately, I
> > > > > don't have
> > > > >                   the issue myself so I can't test it, but it
> > > > > should fix
> > > > >                   it.  :crosses fingers:  Thanks for your
> > > > > patience and
> > > > >                   assistance.
> > > > >                  
> > > > >                  
> > > > >                 Thanks,
> > > > >                  
> > > > >                 ~Patrick
> > > > >                  
> > > > >                  
> > > > >                 
> > > > >                   From: 
> > > > >                     "Patrick
> > > > >                       Mullen (pamullen)" 
> > > > >                         <pamullen at cisco.com>
> > > > > 
> > > > >                       Date: Friday, June 15, 2018 at
> > > > >                       1:13 PM
> > > > > 
> > > > >                       To: "jlay at slave-tothe-box.net"
> > > > >                       <jlay at slave-tothe-box.net>
> > > > > 
> > > > >                       Cc: "snort-users at lists.snort.org"
> > > > >                       <snort-users at lists.snort.org>
> > > > > 
> > > > >                       Subject: Re: [Snort-users]
> > > > >                       Ubuntu 18 and so rules error
> > > > >                 
> > > > >                 
> > > > >                    
> > > > >                 
> > > > >                 James,
> > > > >                  
> > > > >                 I'm at a loss.  Let me google and
> > > > >                   think about this and get back to you. 
> > > > > Maybe it's a a
> > > > >                   versioning issue?
> > > > >                  
> > > > >                 Anyone else have/seen this issue?
> > > > >                  
> > > > >                  
> > > > >                 Thanks,
> > > > >                  
> > > > >                 ~Patrick
> > > > >                  
> > > > >                 
> > > > >                   From: 
> > > > >                     James
> > > > >                       Lay 
> > > > >                         <jlay at slave-tothe-box.net>
> > > > > 
> > > > >                       Reply-To: "jlay at slave-tothe-box.net"
> > > > >                       <jlay at slave-tothe-box.net>
> > > > > 
> > > > >                       Date: Thursday, June 14, 2018 at
> > > > >                       5:44 PM
> > > > > 
> > > > >                       To: "Patrick Mullen (pamullen)"
> > > > >                       
> > > > >                         <pamullen at cisco.com>
> > > > > 
> > > > >                       Cc: "snort-users at lists.snort.org"
> > > > >                       <snort-users at lists.snort.org>
> > > > > 
> > > > >                       Subject: Re: [Snort-users]
> > > > >                       Ubuntu 18 and so rules error
> > > > >                 
> > > > >                 
> > > > >                    
> > > > >                 
> > > > >                 Yes....of note I am not compiling the rules,
> > > > > just
> > > > >                   using pulled pork to do it's thing.
> > > > >                 James
> > > > >                 On 2018-06-14 08:50, Patrick Mullen
> > > > > (pamullen) wrote:
> > > > >                 
> > > > > >                   
> > > > > >                     To be clear, my
> > > > > >                       example code ran first try?  Does
> > > > > > snort continue
> > > > > >                       to throw that error?
> > > > > >                      
> > > > > >                      
> > > > > >                     ~Patrick
> > > > > >                      
> > > > > >                     
> > > > > >                       From:
> > > > > >                           James Lay 
> > > > > >                             <jlay at slave-tothe-box.net>
> > > > > >                     
> > > > > >                     
> > > > > >                        
> > > > > >                     
> > > > > >                     Ran like a champ:
> > > > > >                     <snip screenshot>
> > > > > >                     now we're having some fun!
> > > > > >                     James
> > > > > >                     On 2018-06-13 09:20, Patrick Mullen
> > > > > > (pamullen)
> > > > > >                       wrote:
> > > > > >                     
> > > > > > >                       
> > > > > > >                         James,
> > > > > > >                          
> > > > > > >                         Here's
> > > > > > >                           a quick test.  If this doesn't
> > > > > > > work, then
> > > > > > >                           install whatever google tells
> > > > > > > you and it
> > > > > > >                           should fix the snort loading
> > > > > > > problem.  If it
> > > > > > >                           does, then I'm a little
> > > > > > > confused and we'll
> > > > > > >                           have to look into this further.
> > > > > > >                       
> > > > > > >                     
> > > > > > 
> > > > > >                     
> > > > > >                        
> > > > > >                     
> > > > > >                   
> > > > > >                 
> > > > > 
> > > > >                  
> > > > >                 
> > > > >                    
> > > > >                 
> > > > >               
> > > > >             
> > > > 
> > > >              
> > > >              
> > > >             
> > > > 
> > > >             _______________________________________________
> > > > 
> > > >               Snort-users mailing list
> > > > 
> > > >               Snort-users at lists.snort.org
> > > > 
> > > >               Go to this URL to change user options or
> > > > unsubscribe:
> > > > 
> > > >               https://lists.snort.org/mailman/listinfo/snort-us
> > > > ers
> > > > 
> > > >               
> > > > 
> > > >               Please visit http://blog.snort.org to stay
> > > >               current on all the latest Snort news!
> > > > 
> > > >               
> > > > 
> > > >               Please follow these rules: 
> > > >                 https://snort.org/faq/what-is-the-mailing-list-
> > > > etiquette
> > > >           
> > > 
> > >            
> > >            
> > >           
> > > 
> > >           
> > >           
> > > 
> > >           _______________________________________________Snort-
> > > users mailing listSnort-users at lists.snort.orgGo to this URL to
> > > change user options or unsubscribe:https://lists.snort.org/mailma
> > > n/listinfo/snort-users
> > > Please visit http://blog.snort.org to stay current on all the
> > > latest Snort news!
> > > Please follow these rules: https://snort.org/faq/what-is-the-mail
> > > ing-list-etiquette
> > > 
> > >         
> > 
> >         
> > 
> >       
> >       
> > 
> >       
> >       
> > 
> >       _______________________________________________Snort-users
> > mailing listSnort-users at lists.snort.orgGo to this URL to change
> > user options or unsubscribe:https://lists.snort.org/mailman/listinf
> > o/snort-users
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!
> > Please follow these rules: https://snort.org/faq/what-is-the-mailin
> > g-list-etiquette
> > 
> >     
> 
>     
> 
>   
> 
> _______________________________________________Snort-users mailing
> listSnort-users at lists.snort.orgGo to this URL to change user options
> or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-
> list-etiquette
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180620/1c9078f5/attachment.html>


More information about the Snort-users mailing list