Problems with installing snort 2.9.4 on centos 6.3

[עמית קליינמן <a.b.kleinmann () gmail com>]

When trying to run snort at the first time (by: ./snort -T -i eth0 -u snort
-g snort -c /etc/snort/snort.conf), I get:



ERROR: /etc/snort/snort.conf(258) Could not stat dynamic module path
"/usr/local/lib/snort_dynamicrules": No such file or directory.



I'll be more than a happy to get relevant feedback,



Amit.





*Detailed description:*



After installing a new centos 6.3 machine, I tried to install Snort, by
following the *proper *instructions given at the Snort web site:

http://s3.amazonaws.com/snort-org/www/assets/202/snort294_CentOS63.pdf



A.   Specifically for the daq installation I did the following:



 1. I downloaded daq-2.0.0.tar.gz sources from www.snort.org
 2. I extracted this tar file by invoking: sudo tar zxvf
   /Downloads/daq-2.0.0.tar.gz
 3. cd /usr/local/src/daq-2.0.0
 4. sudo ./configure
 5. sudo make
 6. sudo make install



The make could not complete, so I add to the command in step 4 above:
--disable-nfq-module
 i.e.,  ./configure --disable-nfq-module



B.   Then, I tried to invoke the ./configure command at the Snort directory.

I encountered the following problem (and thus could not complete the
installation):

./configure: line 21270: daq-modules-config: command not found

checking for daq_load_modules in -ldaq_static... no

ERROR!  daq_static library not found, go get it from  http://www.snort.org/.



At config.log the following lines provided a hint on the problem:



/usr/local/src/daq-2.0.0/api/daq_base.c:273: undefined reference to
`num_static_modules'

/usr/local/src/daq-2.0.0/api/daq_base.c:274: undefined reference to
`static_modules'

/usr/local/src/daq-2.0.0/api/daq_base.c:273: undefined reference to
`num_static_modules'





a.    Previous posts (e.g.,
http://groups.google.com/group/snortusers/browse_thread/thread/207e39a42b38d144?hl=en)
suggested that daq-modules-config was not found since its directory is not
included in the path. However, the dir of "daq-modules-config" was already
 in my PATH so when I run: "which daq-modules-config" –  I got:
/usr/local/bin/daq-modules-config

$ pwd

   /usr/local/bin

   ls -l da*

   -rwxr-xr-x. 1 root root 600 Jan 27 12:17 daq-modules-config

b.    I found  here
http://sayush.wordpress.com/2011/03/25/installing-snort-on-centos-made-simple/
a
description of a problem that looked very similar: "ldaq-static not found…
but we just installed daq right? what went wrong? the reason for this
message is that the path has not yet been added to the linker"

It was suggested there to add the line: /usr/local/lib/daq   in the file:
 /etc/ld.so.conf.d/daq.conf



LD_LIBRARY_PATH has the /usr/local/lib     I also added this line to
/etc/ld.so.conf

    $ echo $LD_LIBRARY_PATH

    :/usr/local/lib

    $ sudo more /etc/ld.so.conf

     include ld.so.conf.d/*.conf

      /usr/local/lib



As you know, ldconfig is used to create, udpate and remove symbolic links
for the current shared libraries based on the lib directories present in
the /etc/ld.so.conf.  This file already include an include line:

include /etc/ld.so.conf.d/*.conf

So the multiple *.conf file (including daq.conf) located under ld.so.conf.d
directory will be used for the same purpose.



As I mentioned I already added /usr/local/lib to the  /etc/ld.so.conf. I
also tried to add  /usr/local/lib/daq to the daq.conf file



So none of this has helped to solve the problem

It appeared that the issue was related to the fact that I install the daq
and snort at /usr/local/src using the "sudo" command.

When I reinstalled these source directories under my home directory, I
managed to complete the installation successfully.



However I am not able to confirm, since later in the installation I
encountered a new problem - when trying to run snort at the first time (by:
./snort -T -i eth0 -u snort -g snort -c /etc/snort/snort.conf), I got:



ERROR: /etc/snort/snort.conf(258) Could not stat dynamic module path
"/usr/local/lib/snort_dynamicrules": No such file or directory.



Also - part of the installation instructions includes:

chown \u2013R snort:snort snort_dynamicsrc <enter>

chmod \u2013R 700 snort_dynamicsrc <enter>



But there is no snort_dynamicsrc file or directory either, maybe this is
related?



Also there was a syntax issue with the command:

"useradd snort -d /var/log/snort -s /sbin/nologin -c SNORT_IDS \u2013g
snort "



So I resolved this by replacing it with the following two commands:

"useradd -g snort snort"

"sudo usermod -m -d /var/log/snort -s /sbin/nologin -c SNORT_IDS snort"





Many thanks to Bill Parker, Joel Esler and especially Hui Cao for the
support and help along this installation.


Amit.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!