Re: Snort missing C99 patch

[Michael Altizer <mialtize () cisco com>]

For the record, the RPM shouldn't touch anything in /usr/local - 
anything there would probably be artifacts from a previous personal 
build that was installed (/usr/local being the default prefix if you 
just run ./configure, but distro RPMs change the prefix to /usr).  For 
example, here are the header contents of daq-2.0.4.centos7.x86_64.rpm 
from the snort.org website:

$ rpm -qpl daq-2.0.4.centos7.x86_64.rpm | grep include
/usr/include/daq.h
/usr/include/daq_api.h
/usr/include/daq_common.h
/usr/include/sfbpf.h
/usr/include/sfbpf_dlt.h

On 11/21/2014 12:51 PM, Terry John wrote:
> Thanks for that. I had already updated the daq. Sorry I omitted to say 
> that in my original post.
>
> I think I have found a workaround now. I posted it a couple of minutes 
> ago.
>
> cd  /usr/local/include/
>
> rm daq.h daq_api.h  daq_common.h  sfbpf.h  sfbpf_dlt.h
>
> I think the rpm build should be able to remove previous rpm build 
> files if they are no longer needed. Perhaps this hasn’t been 
> considered yet.
>
> Terry
>
> *From:*Michael Altizer [mailto:mialtize () cisco com]
> *Sent:* 21 November 2014 17:27
> *To:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] Snort missing C99 patch
>
> Sounds like the DAQ library you have is an alpha/beta version, which 
> is what that check was put in to detect (it has the new function, but 
> an old version of the struct definition).  If you look at 
> daq_common.h, you should see that the DAQ_DP_key_t structure looks 
> like this:
>
> typedef struct _DAQ_DP_key_t {
>     uint32_t af;                /* AF_INET or AF_INET6 */
>     union {
>         struct in_addr src_ip4;
>         struct in6_addr src_ip6;
>     } sa;
>     union {
>         struct in_addr dst_ip4;
>         struct in6_addr dst_ip6;
>     } da;
>     uint8_t protocol;           /* TCP or UDP (IPPROTO_TCP or 
> IPPROTO_UDP )*/
>     uint16_t src_port;          /* TCP/UDP source port */
>     uint16_t dst_port;          /* TCP/UDP destination port */
>     uint16_t address_space_id;  /* Address Space ID */
>     uint16_t tunnel_type;       /* Tunnel type */
>     uint16_t vlan_id;           /* VLAN ID */
>     uint16_t vlan_cnots;
> } DAQ_DP_key_t;
>
> Note the named 'sa' and 'da' unions.  If it doesn't look like that, 
> you need to update with the final version of libdaq 2.0.4, which is 
> available on the snort.org website. I just verified that the src.rpm 
> there has the right version of the headers.
>
> On 11/21/2014 11:16 AM, Terry John wrote:
>
>     I’m trying to update an existing 2.9.6.0 version of snort on
>     Centos 6.5. I was disappointed to see that Snort no longer
>     provides RPM’s for Centos 6 so I rpmbuilt my own from the src.rpm
>     files.
>
>     That daq built ok but the snort still insisted on looking for the
>     old libdnet v 1.11 so I decided to compile from source using
>     snort-2.9.7.0.tar.gz .
>
>     I did a yum update on the daq and that seems ok. But when I did a
>     ./configure –enable-sourcefire as suggested in the setup guide
>     (https://www.snort.org/documents/4) I got the error:
>
>     checking for daq_dp_add_dc... yes
>
>     checking for struct _DAQ_DP_key_t.sa.src_ip4... no
>
>        ERROR!  daq library missing C99 patch, upgrade to >=2.0.4, go
>     get it from
>
>     http://www.snort.org/.
>
>     From a clean install on a virtualbox using the same daq rpm snort
>     compiles fine. Could t be a problem that the daq RPM can’t do a
>     clean update on an existing system?
>
>     Thanks
>
>     Terry
>
>     The Manheim group of companies within the UK comprises: Manheim
>     Europe Limited (registered number: 03183918), Manheim Auctions
>     Limited (registered number: 00448761), Manheim Retail Services
>     Limited (registered number: 02838588), Motors.co.uk Limited
>     (registered number: 05975777), Real Time Communications Limited
>     (registered number: 04277845) and Complete Automotive Solutions
>     Limited (registered number: 05302535). Each of these companies is
>     registered in England and Wales with the registered office address
>     of Central House, Leeds Road, Rothwell, Leeds LS26 0JE. The
>     Manheim group of companies operates under various brand/trading
>     names including Manheim Inspection Services, Manheim Auctions,
>     Manheim Direct, Manheim De-fleet and Manheim Aftersales Solutions.
>
>     V:0CF72C13B2AC
>
>
>
>
>     ------------------------------------------------------------------------------
>
>     Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>
>     from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>
>     with Interactivity, Sharing, Native Excel Exports, App Integration & more
>
>     Get technology previously reserved for billion-dollar corporations, FREE
>
>     http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
>
>
>
>
>     _______________________________________________
>
>     Snort-users mailing list
>
>     Snort-users () lists sourceforge net  <mailto:Snort-users () lists sourceforge net>
>
>     Go to this URL to change user options or unsubscribe:
>
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>
>     Snort-users list archive:
>
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>       
>
>     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!