RHEL 6 with Snort 2.9.5.6-1 and PCRE 8.33 install issue (UNCLASSIFIED)

["Wright, Jonathon S CTR (US)" <jonathon.s.wright.ctr () mail mil>]

Classification: UNCLASSIFIED
Caveats: NONE

Hey List, 

Here is the goal, I'm trying to install snort 2.9.5.6-1 on a RHEL 6 with
pcre 8.33 (8.34 as of the 15th of this month). 
Below are the details of the process I am doing and issues I'm running into.
At the end, I listed 5 questions I need help with.

I found one installation guide for RHEL 6 / snort 2.9.x on how to do this
and followed it for assistance:
http://www.procyonlabs.com/guides/rhel/snort_db_by2/


After completing the guide (minor modifications, but the theory of it was
followed), I did a simple version check of snort and its dependencies with a
"snort -V". 
Snort returned this:

# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.5.6 GRE (Build 208)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

What caught my attention was the PCRE version, which is very old and has a
large number of release fixes / enhancements since 7.8, see here:
http://www.pcre.org/changelog.txt


On FreeBSD (which we are migrating from), the output of the "snort -V" is
the same, except PCRE version is correct showing this:
Using PCRE version: 8.33 2013-05-28

So I figured I'd download the 8.34 version from pcre and build from source
and rebuild snort. Snort still reflected the old pcre version. 
I talked to Red Hat, they indicated that they baselined pcre at 7.8 for
RHEL6 OS and did not recommend / support it being overwritten (due to OS
binary dependencies such as grep). 

So here are my 5 questions:

1. Is the guide I followed (above url) the best way to build snort or is
there a better guide? (has anyone else done RHEL 6 / snort 2.9.5.6 / pcre
8.33)
2. Why is snort not available for RHEL 6 as an rpm or provided in any RHEL
repository? This is going to be a maintenance nightmare if everything has to
be built from source everytime a new version is released (we have large
number of servers).
3. What is the impact of not having pcre 8.34? (40% of our rules use pcre
expressions)
4. How do I compile / force snort to use the new pcre libraries if #3 above
is severe?
5. Can I have to leave 2 versions of pcre (one for OS and one for Snort) on
the OS? If so how do I repeat #4 above when a new version of snort / pcre
comes out?

If this should be on a different list also, let me know. 

Any insight is appreciated.

JW 





Classification: UNCLASSIFIED
Caveats: NONE

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!