Good info thanks YM!

James

On 2018-06-14 15:00, Y M via Snort-users wrote:

Expanding the troubleshooting surface here, not hijacking the thread. I get the below error after a successful build:

# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -T

Loading all dynamic detection libs from /usr/local/snort/lib/snort_dynamicrules...
Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/malware-cnc.so... done
Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/browser-ie.so... done
Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/server-webapp.so... done
Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/pua-p2p.so... done
Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/protocol-other.so... done
Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/netbios.so... done
Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/protocol-tftp.so... done
Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/malware-other.so... 
ERROR: Failed to load /usr/local/snort/lib/snort_dynamicrules/malware-other.so: /usr/local/snort/lib/snort_dynamicrules/malware-other.so: undefined symbol: sin
Fatal Error, Quitting..
 
$ ldd /usr/local/snort/bin/snort

linux-vdso.so.1 (0x00007ffc4c4bf000)
libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 (0x00007f62f0f52000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f62f0ce0000)
libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f62f089d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f62f0699000)
libnetfilter_queue.so.1 => /usr/lib/x86_64-linux-gnu/libnetfilter_queue.so.1 (0x00007f62f0492000)
libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007f62f026c000)
libpcap.so.0.8 => /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007f62f002b000)
libdumbnet.so.1 => /usr/lib/x86_64-linux-gnu/libdumbnet.so.1 (0x00007f62efe1a000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f62efbfd000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f62ef9d7000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f62ef7b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f62ef3c7000)
/lib64/ld-linux-x86-64.so.2 (0x00007f62f239a000)
libnfnetlink.so.0 => /usr/lib/x86_64-linux-gnu/libnfnetlink.so.0 (0x00007f62ef1c0000)
libmnl.so.0 => /lib/x86_64-linux-gnu/libmnl.so.0 (0x00007f62eefba000)
 
Dependencies:
# apt-get install flex bison gcc make cmake libtool autoconf libpcap-dev libpcre3-dev liblzma-dev zlib1g-dev libnetfilter-queue-dev libdumbnet-dev openssl libssl-dev libnghttp2-dev pkg-config uuid-dev

LuaJIT 2.0.5 installed form source.

Configure:
# ./configure --prefix=/usr/local/snort --enable-sourcefire --enable-file-inspect --enable-large-pcap --enable-non-ether-decoders --enable-open-appid

# uname -a
Linux dev 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

On a side note, building Snort 2.9.11.1 with libssl-dev (1.1.0g) and --enable-open-appid will fail (errors attached). Had to downgrade to libssl1.0-dev (1.0.2n) to get the build going.
 
Thanks.
YM
 

From: Snort-users <snort-users-bounces@lists.snort.org> on behalf of Patrick Mullen (pamullen) via Snort-users <snort-users@lists.snort.org>
Sent: Thursday, June 14, 2018 5:50 PM
To: jlay@slave-tothe-box.net
Cc: snort-users@lists.snort.org
Subject: Re: [Snort-users] Ubuntu 18 and so rules error
 

To be clear, my example code ran first try?  Does snort continue to throw that error?

 

 

~Patrick

 

From: James Lay <jlay@slave-tothe-box.net>

 

Ran like a champ:

<snip screenshot>

now we're having some fun!

James

On 2018-06-13 09:20, Patrick Mullen (pamullen) wrote:

James,

 

Here's a quick test.  If this doesn't work, then install whatever google tells you and it should fix the snort loading problem.  If it does, then I'm a little confused and we'll have to look into this further.

 


_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette