Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Tip: Building Snort 2.2.0 under 64-bit Sun sparc sol9

From: "Jacques Brierre" <jbrierre () Lanier com>
Date: Mon, 11 Oct 2004 10:46:29 -0400
This is a heads-up/FYI for building snort on 64-bit sparc solaris 9.
I had to spend a day at it - unexpectedly (but this is not a complaint.)
There were 3 hurdles to overcome. Google helped --A LOT (of course!)

Cheers!
I hope this helps someone.
Thanks to all posters and contributors to this site. I am learning
a whole lot from you.



Limitations:
1) these may not the most elegant or complete methods.
   I needed it to work this weekend!
2) there may be more problems not yet encountered - only the problems 
listed
   were resolved.
3) this is for a Sun/Solaris 9 64 bit system. Had I been running 32 bit 
   mode, i might have encountered different or no problems.

My system:
SunOS 5.9 sun4u sparc SUNW,Ultra-2
Memory size: 512 Megabytes
2 sparcv9 processors / 168 MHz

gcc version 3.4.2

--- problems and resolution ---

1-  libpcap
./configure error generated:

checking for pcap_datalink in -lpcap... no

   ERROR!  Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place
-bash-3.00$

hint: in configure.log
configure:5826: checking for pcap_datalink in -lpcap
configure:5859: gcc -o conftest -g -O2 -Wall   -DBSD_COMP

-D_REENTRANT -I/usr/local/include/   -L/usr/local/lib/ conftest.c 
-lpcap  -lm -lsocket -lnsl  >&5
ld: warning: file /usr/local/lib//libpcap.a(pcap.o): wrong ELF class:

ELFCLASS64
Undefined                       first referenced
 symbol                             in file
pcap_datalink                       /var/tmp//ccM9VScB.o
ld: fatal: Symbol referencing errors. No output written to conftest

problem:
     linker not set for 64-bit mode
Fix: force gcc to 64-bit mode
     sudo env CC="gcc -m64" sh ./configure --with-mysql=/usr/local/mysql
result: worked for me.
credit: http://pari.math.u-bordeaux.fr/archives/pari-dev-0310/msg00039.html


2. libpcre

compile stops with the last instruction:
gcc -m64  -g -O2 -Wall  -L/usr/local/lib/  -L/usr/local/lib/
-L/usr/local/mysql/lib -o snort  codes.o debug.o decode.o log.o
mstring.o parser.o plugbase.o snort.o snprintf.o strlcatu.o
strlcpyu.o tag.o ubi_BinTree.o ubi_SplayTree.o util.o detect.o
signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o
byte_extract.o sfthreshold.o packet_time.o event_wrapper.o
event_queue.o output-plugins/libspo.a detection-plugins/libspd.a
preprocessors/libspp.a preprocessors/flow/portscan/libportscan.a
preprocessors/flow/libflow.a parser/libparser.a
preprocessors/HttpInspect/libhttp_inspect.a sfutil/libsfutil.a -lz
-lpcre -lpcap -lm -lsocket -lnsl  -lmysqlclient
Undefined                       first referenced
 symbol                             in file
IXDR_GET_LONG 

detection-plugins/libspd.a(sp_rpc_check.o)
ld: fatal: Symbol referencing errors. No output written to snort
collect2: ld returned 1 exit status
make[3]: *** [snort] Error 1
make[3]: Leaving directory `/data/sol9/arch/snort-2.2.0/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/data/sol9/arch/snort-2.2.0/src'

problem/fix/credit:

From: http://archives.neohapsis.com/archives/snort/2004-04/0674.html

I figured this one out, with help from George. Posting it so that I can
find it again once I run into this issue a year from now.

The only place in the code where I saw IXDR_GET_LONG being referenced
was in detection-plugins/sp_rpc_check.c
As far as the includes, this symbol was only defined in rpc/xdr.h
(which George pointed out), but this file wasn't included in the snort 
source.
After trying (unsuccessfully) to "#include <rpc/xdr.h>" at the top of
sp_rpc_check.c, I just took the part where this symbol is defined in

xdr.h
and threw it into sp_rpc_check.c: "#define IXDR_GET_LONG(buf)
((long)ntohl((ulong_t)*(buf)++))". After that, no issues...

-G-



3)  libpcre (just when you thought all was well...)

-bash-3.00$ sudo /usr/local/bin/snort -vde
Password:
ld.so.1: /data/local/bin/snort: fatal: libpcre.so.0: open failed: No

such file or directory
Killed
-bash-3.00$


-bash-3.00$ ldd /usr/local/bin/snort
        libz.so.1 =>     /usr/lib/64/libz.so.1
        libpcre.so.0 =>  (file not found)
        libm.so.1 =>     /usr/lib/64/libm.so.1
        libsocket.so.1 =>        /usr/lib/64/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/64/libnsl.so.1
        libc.so.1 =>     /usr/lib/64/libc.so.1
        libdl.so.1 =>    /usr/lib/64/libdl.so.1
        libmp.so.2 =>    /usr/lib/64/libmp.so.2
        /usr/platform/SUNW,Ultra-2/lib/sparcv9/libc_psr.so.1
-bash-3.00$

-bash-3.00$ truss -f -r all -v all -w all /usr/local/bin/snort
9328:   execve("/data/local/bin/snort", 0xFFFFFFFF7FFFFCD8,
0xFFFFFFFF7FFFFCE8)  argc = 1
9328:   mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFFFFFFFF7F500000
9328:   resolvepath("/data/local/bin/snort", "/data/local/bin/snort", 
1023) = 21
9328:   resolvepath("/usr/lib/sparcv9/ld.so.1", 
"/usr/lib/sparcv9/ld.so.1", 1023) = 24
9328:   stat("/data/local/bin/snort", 0xFFFFFFFF7FFFF948) = 0
9328:       d=0x000000200000001F i=8356  m=0100755 l=1  u=0     g=1 
sz=2769560
9328:           at = Oct 11 01:52:52 EDT 2004  [ 1097473972 ]
9328:           mt = Oct 11 01:44:43 EDT 2004  [ 1097473483 ]
9328:           ct = Oct 11 01:44:44 EDT 2004  [ 1097473484 ]
9328:       bsz=8192  blks=5440  fs=ufs
9328:   open("/var/ld/64/ld.config", O_RDONLY)          Err#2 ENOENT
9328:   stat("/usr/lib/64/libz.so.1", 0xFFFFFFFF7FFFF040) = 0
9328:       d=0x0000002000000010 i=231619 m=0100755 l=1  u=0     g=2 
sz=71112
9328:           at = Oct 11 01:52:27 EDT 2004  [ 1097473947 ]
9328:           mt = Oct 13 11:39:43 EDT 2003  [ 1066059583 ]
9328:           ct = Oct  2 19:56:09 EDT 2004  [ 1096761369 ]
9328:       bsz=8192  blks=140   fs=ufs
9328:   open("/usr/lib/64/libz.so.1", O_RDONLY)         = 3
9328:   mmap(0x00100000, 8192, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_ALIGN, 3, 0) = 0xFFFFFFFF7F400000
9328:   mmap(0x00100000, 1114112, PROT_NONE,
MAP_PRIVATE|MAP_NORESERVE|MAP_ANON|MAP_ALIGN, -1, 0) = 0xFFFFFFFF7F200000
9328:   mmap(0xFFFFFFFF7F200000, 52630, PROT_READ|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFFFFFFFF7F200000
9328:   mmap(0xFFFFFFFF7F30C000, 11448, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED, 3, 49152) = 0xFFFFFFFF7F30C000
9328:   munmap(0xFFFFFFFF7F20E000, 1040384)             = 0
9328:   resolvepath("/usr/lib/sparcv9/libz.so.1", 
"/usr/lib/sparcv9/libz.so.1", 1023) = 26
9328:   memcntl(0xFFFFFFFF7F200000, 6768, MC_ADVISE, MADV_WILLNEED, 0, 
0) = 0
9328:   close(3)                                        = 0
9328:   stat("/usr/lib/64/libpcre.so.0", 0xFFFFFFFF7FFFF040) Err#2 ENOENT
ld.so.1: /data/local/bin/snort: fatal: libpcre.so.0: open failed: No

such file or directory
9328:   write(2, 0xFFFFFFFF7F72E510, 92)                = 92
9328:      l d . s o . 1 :   / d a t a / l o c a l / b i n / s n o r t : 
9328:      f a t a l :   l i b p c r e . s o . 0 :   o p e n   f a i l e d
9328:      :   N o   s u c h   f i l e   o r   d i r e c t o r y\n
9328:   munmap(0xFFFFFFFF7F400000, 8192)                = 0
9328:   lwp_self()                                      = 1
-bash-3.00$


fix:

# cd /usr/lib/64
# ln -s /usr/local/lib/libpcre*

-bash-3.00$ ls -l libpcr*
lrwxrwxrwx   1 root     other         24 Oct 11 02:03 libpcre.a -> 
/usr/local/lib/libpcre.a
lrwxrwxrwx   1 root     other         25 Oct 11 02:03 libpcre.la -> 
/usr/local/lib/libpcre.la
lrwxrwxrwx   1 root     other         25 Oct 11 02:03 libpcre.so -> 
/usr/local/lib/libpcre.so
lrwxrwxrwx   1 root     other         27 Oct 11 02:03 libpcre.so.0 -> 
/usr/local/lib/libpcre.so.0
lrwxrwxrwx   1 root     other         31 Oct 11 02:03 libpcre.so.0.0.1 
-> /usr/local/lib/libpcre.so.0.0.1
-bash-3.00$

result:

-bash-3.00$ ldd /usr/local/bin/snort
        libz.so.1 =>     /usr/lib/64/libz.so.1
        libpcre.so.0 =>  /usr/lib/64/libpcre.so.0
        libm.so.1 =>     /usr/lib/64/libm.so.1
        libsocket.so.1 =>        /usr/lib/64/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/64/libnsl.so.1
        libc.so.1 =>     /usr/lib/64/libc.so.1
        libdl.so.1 =>    /usr/lib/64/libdl.so.1
        libmp.so.2 =>    /usr/lib/64/libmp.so.2
        /usr/platform/SUNW,Ultra-2/lib/sparcv9/libc_psr.so.1
-bash-3.00$

-bash-3.00$ sudo snort -vde
Running in packet dump mode
Log directory = /var/log/snort

Initializing Network Interface hme0

        --== Initializing Snort ==--
Initializing Output Plugins!
Decoding Ethernet on interface hme0

        --== Initialization Complete ==--

-*> Snort! <*-
Version 2.2.0 (Build 30)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
10/11-02:07:54.775238 8:0:20:85:73:64 -> 0:5:2:9:BF:ED type:0x800 len:0x92
172.16.1.110:22 -> 172.16.1.100:50860 TCP TTL:60 TOS:0x0 ID:32202 
IpLen:20 DgmLen:132 DF
***AP*** Seq: 0x237FC9B5  Ack: 0x1E383DA4  Win: 0xC050  TcpLen: 32
TCP Options (3) => NOP NOP TS: 20483282 3041158363
5C FA 6A 76 1E 09 A0 41 9F 27 94 89 8A CF 1D F0  \.jv...A.'......
2C CD D2 D7 FB DF 25 B8 26 21 BF 84 F2 29 EE 2A  ,.....%.&!...).*
96 2A FE 93 54 A8 C2 E5 7C E2 04 65 50 6E CD A8  .*..T...|..ePn..
91 C6 BC AD D5 D8 E2 3D C3 49 90 93 0A FA 6E E3  .......=.I....n.
^C
===============================================================================

Snort received 160 packets
    Analyzed: 160(100.000%)
    Dropped: 0(0.000%)
===============================================================================
Breakdown by protocol:
    TCP: 160        (100.000%) 
    UDP: 0          (0.000%) 
   ICMP: 0          (0.000%) 
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting
-bash-3.00$


jacques brierre
---
Lanier | Ricoh
973-882-2000 x6248
256-282-4911 - cell
---
Previous By Date Next
Previous By Thread Next

Current thread: