[Snort-users] Ubuntu 18 and so rules error

James Lay jlay at slave-tothe-box.net
Wed Jun 20 05:52:12 EDT 2018


Also of interest, snort does not appear to have compiled against libm
on this version of Ubuntu, other machines not on this version show libm
in the list:

	linux-vdso.so.1 (0x00007ffe6458f000)
	libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14
(0x00007f5e675dc000)
	libdnet.so.1 => /opt/libdnet/lib/libdnet.so.1
(0x00007f5e673ca000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3
(0x00007f5e67158000)
	libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x00007f5e66ce0000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2
(0x00007f5e66adc000)
	libsfbpf.so.0 => /opt/daq/lib/libsfbpf.so.0
(0x00007f5e668b6000)
	libpcap.so.0.8 => /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
(0x00007f5e66675000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1
(0x00007f5e66458000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5
(0x00007f5e66232000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f5e66013000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
(0x00007f5e65c22000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f5e68a35000)


James

On Wed, 2018-06-20 at 03:43 -0600, James Lay wrote:
> Here's what I have:
> 
> lrwxrwxrwx 1 root root 12 Jun  3 12:35 libm.so.6 -> libm-2.27.so
> 
> James
> 
> On Tue, 2018-06-19 at 23:05 -0400, Russ via Snort-users wrote:
> >     Yeah, libm.so.6 is missing.  If this is blocking you, adding
> > log(1);
> >     to main() in snort.c and building should get them to load.
> > 
> >     
> > 
> >     On 6/19/18 10:30 PM, Y M via
> >       Snort-users wrote:
> > 
> >     
> > 
> >     
> > >       
> > >        P {margin-top:0;margin-bottom:0;} 
> > >       
> > >         Same results over here with
> > >           malware-other.so.
> > >       
> > >         
> > > 
> > >       
> > >       
> > >         ERROR: Failed to load
> > >           /usr/local/snort/lib/snort_dynamicrules/malware-
> > > other.so:
> > >           /usr/local/snort/lib/snort_dynamicrules/malware-
> > > other.so:
> > >           undefined symbol: sin
> > > 
> > >       
> > >       
> > >         
> > > 
> > >       
> > >       
> > >         $ ldd
> > >           /usr/local/snort/lib/snort_dynamicrules/malware-
> > > other.so
> > > 
> > >         
> > >         linux-vdso.so.1 (0x00007ffd4f9fe000)
> > > 
> > >         
> > >         libc.so.6 =>
> > >             /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa326064000)
> > > 
> > >         
> > >         /lib64/ld-linux-x86-64.so.2 (0x00007fa326781000)
> > > 
> > >       
> > >       
> > >         
> > > 
> > >         
> > >       
> > >         ..and ldd
> > >             for protocol-dns.so for comparison sake.
> > > 
> > >         
> > >       
> > >         
> > > 
> > >         
> > >       
> > >         $ ldd
> > >             /usr/local/snort/lib/snort_dynamicrules/protocol-
> > > dns.so
> > >             
> > > 
> > >           
> > >           linux-vdso.so.1 (0x00007ffe5c5ec000)
> > > 
> > >           
> > >           libc.so.6 =>
> > >               /lib/x86_64-linux-gnu/libc.so.6
> > > (0x00007f08aaf9c000)
> > > 
> > >           
> > >           /lib64/ld-linux-x86-64.so.2 (0x00007f08ab5bf000)
> > > 
> > >         
> > >       
> > >         
> > > 
> > >       
> > >       
> > >         YM
> > >       
> > >         
> > > 
> > >       
> > >       
> > >       From:
> > >           Snort-users <snort-users-bounces at lists.snort.org> on
> > >           behalf of Russ via Snort-users
> > >           <snort-users at lists.snort.org>
> > > 
> > >           Sent: Wednesday, June 20, 2018 5:19 AM
> > > 
> > >           To: jlay at slave-tothe-box.net; Patrick Mullen
> > >           (pamullen); Snort
> > > 
> > >           Subject: Re: [Snort-users] Ubuntu 18 and so rules error
> > >          
> > >       
> > >       
> > >       Hey James,
> > > 
> > >         
> > > 
> > >         Can you send the ldd output for protocol-dns.so?
> > > 
> > >         
> > > 
> > >         Thanks
> > > 
> > >         Russ
> > > 
> > >         
> > > 
> > >         On 6/19/18 8:29 PM, James Lay
> > >           wrote:
> > > 
> > >         
> > >         
> > > >           Alas I got the same results:
> > > >           An error occurred: Loading dynamic detection library
> > > >             /opt/snort/lib/snort_dynamicrules/protocol-
> > > > dns.so... ERROR:
> > > >             Failed to load
> > > >             /opt/snort/lib/snort_dynamicrules/protocol-dns.so:
> > > >             /opt/snort/lib/snort_dynamicrules/protocol-dns.so:
> > > > undefined
> > > >             symbol: log
> > > >           file info:
> > > >           -rwxr-xr-x 1 root root 445824 Jun 18 11:28
> > > >             /opt/snort/lib/snort_dynamicrules/protocol-dns.so
> > > >           My snort was compiled like so:
> > > >           ./configure --prefix=/opt/snort --enable-non-ether-
> > > > decoders
> > > >             --enable-sourcefire --enable-shared-rep
> > > >             --enable-control-socket --enable-file-inspect
> > > >             --with-daq-includes=/opt/daq/include
> > > >             --with-daq-libraries=/opt/daq/lib
> > > >             --with-dnet-includes=/opt/libdnet/include
> > > >             --with-dnet-libraries=/opt/libdnet/lib
> > > >           libdnet like so:
> > > >           ./configure --prefix=/opt/libdnet CFLAGS=-fPIC -g -O2
> > > >           and daq like so:
> > > >           ./configure --prefix=/opt/daq
> > > >           That info might help.  If you'd like and have the
> > > > time
> > > >             Patrick ping me off list and I can get you ssh
> > > > access and
> > > >             you can go to town...thank you!
> > > >           James
> > > >           On 2018-06-19 09:57, James Lay wrote:
> > > >           
> > > > >             Thanks Patrick...will test on that dev box today
> > > > > and
> > > > >               report my findings.
> > > > >             James
> > > > >             On 2018-06-18 13:25, Patrick Mullen (pamullen)
> > > > > wrote:
> > > > >             
> > > > > >               
> > > > > >                 James, Y M, and anyone else
> > > > > >                   experiencing this issue.
> > > > > >                  
> > > > > >                 We've made a build change from
> > > > > >                   feedback given to me by Russ, so please
> > > > > > report back
> > > > > >                   after our next release, which should be
> > > > > > some time
> > > > > >                   tomorrow, Tuesday, 19 June, and let me
> > > > > > know if the
> > > > > >                   issue has been resolved.  Unfortunately,
> > > > > > I don't have
> > > > > >                   the issue myself so I can't test it, but
> > > > > > it should fix
> > > > > >                   it.  :crosses fingers:  Thanks for your
> > > > > > patience and
> > > > > >                   assistance.
> > > > > >                  
> > > > > >                  
> > > > > >                 Thanks,
> > > > > >                  
> > > > > >                 ~Patrick
> > > > > >                  
> > > > > >                  
> > > > > >                 
> > > > > >                   From: 
> > > > > >                     "Patrick
> > > > > >                       Mullen (pamullen)" 
> > > > > >                         <pamullen at cisco.com>
> > > > > > 
> > > > > >                       Date: Friday, June 15, 2018 at
> > > > > >                       1:13 PM
> > > > > > 
> > > > > >                       To: "jlay at slave-tothe-box.net"
> > > > > >                       <jlay at slave-tothe-box.net>
> > > > > > 
> > > > > >                       Cc: "snort-users at lists.snort.org"
> > > > > >                       <snort-users at lists.snort.org>
> > > > > > 
> > > > > >                       Subject: Re: [Snort-users]
> > > > > >                       Ubuntu 18 and so rules error
> > > > > >                 
> > > > > >                 
> > > > > >                    
> > > > > >                 
> > > > > >                 James,
> > > > > >                  
> > > > > >                 I'm at a loss.  Let me google and
> > > > > >                   think about this and get back to you. 
> > > > > > Maybe it's a a
> > > > > >                   versioning issue?
> > > > > >                  
> > > > > >                 Anyone else have/seen this issue?
> > > > > >                  
> > > > > >                  
> > > > > >                 Thanks,
> > > > > >                  
> > > > > >                 ~Patrick
> > > > > >                  
> > > > > >                 
> > > > > >                   From: 
> > > > > >                     James
> > > > > >                       Lay 
> > > > > >                         <jlay at slave-tothe-box.net>
> > > > > > 
> > > > > >                       Reply-To: "jlay at slave-tothe-box.net"
> > > > > >                       <jlay at slave-tothe-box.net>
> > > > > > 
> > > > > >                       Date: Thursday, June 14, 2018 at
> > > > > >                       5:44 PM
> > > > > > 
> > > > > >                       To: "Patrick Mullen (pamullen)"
> > > > > >                       
> > > > > >                         <pamullen at cisco.com>
> > > > > > 
> > > > > >                       Cc: "snort-users at lists.snort.org"
> > > > > >                       <snort-users at lists.snort.org>
> > > > > > 
> > > > > >                       Subject: Re: [Snort-users]
> > > > > >                       Ubuntu 18 and so rules error
> > > > > >                 
> > > > > >                 
> > > > > >                    
> > > > > >                 
> > > > > >                 Yes....of note I am not compiling the
> > > > > > rules, just
> > > > > >                   using pulled pork to do it's thing.
> > > > > >                 James
> > > > > >                 On 2018-06-14 08:50, Patrick Mullen
> > > > > > (pamullen) wrote:
> > > > > >                 
> > > > > > >                   
> > > > > > >                     To be clear, my
> > > > > > >                       example code ran first try?  Does
> > > > > > > snort continue
> > > > > > >                       to throw that error?
> > > > > > >                      
> > > > > > >                      
> > > > > > >                     ~Patrick
> > > > > > >                      
> > > > > > >                     
> > > > > > >                       From:
> > > > > > >                           James Lay 
> > > > > > >                             <jlay at slave-tothe-box.net>
> > > > > > >                     
> > > > > > >                     
> > > > > > >                        
> > > > > > >                     
> > > > > > >                     Ran like a champ:
> > > > > > >                     <snip screenshot>
> > > > > > >                     now we're having some fun!
> > > > > > >                     James
> > > > > > >                     On 2018-06-13 09:20, Patrick Mullen
> > > > > > > (pamullen)
> > > > > > >                       wrote:
> > > > > > >                     
> > > > > > > >                       
> > > > > > > >                         James,
> > > > > > > >                          
> > > > > > > >                         Here's
> > > > > > > >                           a quick test.  If this
> > > > > > > > doesn't work, then
> > > > > > > >                           install whatever google tells
> > > > > > > > you and it
> > > > > > > >                           should fix the snort loading
> > > > > > > > problem.  If it
> > > > > > > >                           does, then I'm a little
> > > > > > > > confused and we'll
> > > > > > > >                           have to look into this
> > > > > > > > further.
> > > > > > > >                       
> > > > > > > >                     
> > > > > > > 
> > > > > > >                     
> > > > > > >                        
> > > > > > >                     
> > > > > > >                   
> > > > > > >                 
> > > > > > 
> > > > > >                  
> > > > > >                 
> > > > > >                    
> > > > > >                 
> > > > > >               
> > > > > >             
> > > > > 
> > > > >              
> > > > >              
> > > > >             
> > > > > 
> > > > >             _______________________________________________
> > > > > 
> > > > >               Snort-users mailing list
> > > > > 
> > > > >               Snort-users at lists.snort.org
> > > > > 
> > > > >               Go to this URL to change user options or
> > > > > unsubscribe:
> > > > > 
> > > > >               https://lists.snort.org/mailman/listinfo/snort-
> > > > > users
> > > > > 
> > > > >               
> > > > > 
> > > > >               Please visit http://blog.snort.org to stay
> > > > >               current on all the latest Snort news!
> > > > > 
> > > > >               
> > > > > 
> > > > >               Please follow these rules: 
> > > > >                 https://snort.org/faq/what-is-the-mailing-lis
> > > > > t-etiquette
> > > > >           
> > > > 
> > > >            
> > > >            
> > > >           
> > > > 
> > > >           
> > > >           
> > > > 
> > > >           _______________________________________________Snort-
> > > > users mailing listSnort-users at lists.snort.orgGo to this URL to
> > > > change user options or unsubscribe:https://lists.snort.org/mail
> > > > man/listinfo/snort-users
> > > > Please visit http://blog.snort.org to stay current on all the
> > > > latest Snort news!
> > > > Please follow these rules: https://snort.org/faq/what-is-the-ma
> > > > iling-list-etiquette
> > > > 
> > > >         
> > > 
> > >         
> > > 
> > >       
> > >       
> > > 
> > >       
> > >       
> > > 
> > >       _______________________________________________Snort-users
> > > mailing listSnort-users at lists.snort.orgGo to this URL to change
> > > user options or unsubscribe:https://lists.snort.org/mailman/listi
> > > nfo/snort-users
> > > Please visit http://blog.snort.org to stay current on all the
> > > latest Snort news!
> > > Please follow these rules: https://snort.org/faq/what-is-the-mail
> > > ing-list-etiquette
> > > 
> > >     
> > 
> >     
> > 
> >   
> > 
> > _______________________________________________Snort-users mailing
> > listSnort-users at lists.snort.orgGo to this URL to change user
> > options or unsubscribe:https://lists.snort.org/mailman/listinfo/sno
> > rt-users
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!
> > Please follow these rules: https://snort.org/faq/what-is-the-mailin
> > g-list-etiquette
> 
> _______________________________________________Snort-users mailing
> listSnort-users at lists.snort.orgGo to this URL to change user options
> or unsubscribe:https://lists.snort.org/mailman/listinfo/snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-
> list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180620/aae1d14e/attachment.html>


More information about the Snort-users mailing list