Re: Ubuntu 18 and so rules error

[James Lay <jlay () slave-tothe-box net>]

Good info thanks YM! 

James 

On 2018-06-14 15:00, Y M via Snort-users wrote:

> Expanding the troubleshooting surface here, not hijacking the thread. I get the below error after a successful build: 
>
> # /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -T
>
> Loading all dynamic detection libs from /usr/local/snort/lib/snort_dynamicrules... 
>
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/malware-cnc.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/browser-ie.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/server-webapp.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/pua-p2p.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/protocol-other.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/netbios.so... done 
> Loading dynamic detection library /usr/local/snort/lib/snort_dynamicrules/protocol-tftp.so... done Loading dynamic 
> detection library /usr/local/snort/lib/snort_dynamicrules/malware-other.so...  
> ERROR: Failed to load /usr/local/snort/lib/snort_dynamicrules/malware-other.so: 
> /usr/local/snort/lib/snort_dynamicrules/malware-other.so: undefined symbol: sin 
> Fatal Error, Quitting.. 
>
> $ ldd /usr/local/snort/bin/snort 
>
> linux-vdso.so.1 (0x00007ffc4c4bf000) 
> libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 (0x00007f62f0f52000) 
> libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f62f0ce0000) 
> libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f62f089d000) 
> libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f62f0699000) 
> libnetfilter_queue.so.1 => /usr/lib/x86_64-linux-gnu/libnetfilter_queue.so.1 (0x00007f62f0492000) 
> libsfbpf.so.0 => /usr/local/lib/libsfbpf.so.0 (0x00007f62f026c000) 
> libpcap.so.0.8 => /usr/lib/x86_64-linux-gnu/libpcap.so.0.8 (0x00007f62f002b000) 
> libdumbnet.so.1 => /usr/lib/x86_64-linux-gnu/libdumbnet.so.1 (0x00007f62efe1a000) 
> libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f62efbfd000) 
> liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f62ef9d7000) 
> libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f62ef7b8000) 
> libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f62ef3c7000) 
> /lib64/ld-linux-x86-64.so.2 (0x00007f62f239a000) 
> libnfnetlink.so.0 => /usr/lib/x86_64-linux-gnu/libnfnetlink.so.0 (0x00007f62ef1c0000) libmnl.so.0 => 
> /lib/x86_64-linux-gnu/libmnl.so.0 (0x00007f62eefba000) 
>
> Dependencies: 
> # apt-get install flex bison gcc make cmake libtool autoconf libpcap-dev libpcre3-dev liblzma-dev zlib1g-dev 
> libnetfilter-queue-dev libdumbnet-dev openssl libssl-dev libnghttp2-dev pkg-config uuid-dev 
>
> LuaJIT 2.0.5 installed form source. 
>
> Configure: 
> # ./configure --prefix=/usr/local/snort --enable-sourcefire --enable-file-inspect --enable-large-pcap 
> --enable-non-ether-decoders --enable-open-appid
>
> # uname -a 
> Linux dev 4.15.0-23-generic #25-Ubuntu SMP Wed May 23 18:02:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>
> On a side note, building Snort 2.9.11.1 with libssl-dev (1.1.0g) and --enable-open-appid will fail (errors attached). 
> Had to downgrade to libssl1.0-dev (1.0.2n) to get the build going. 
>
> Thanks. 
> YM 
>
> -------------------------
>
> FROM: Snort-users <snort-users-bounces () lists snort org> on behalf of Patrick Mullen (pamullen) via Snort-users 
> <snort-users () lists snort org>
> SENT: Thursday, June 14, 2018 5:50 PM
> TO: jlay () slave-tothe-box net
> CC: snort-users () lists snort org
> SUBJECT: Re: [Snort-users] Ubuntu 18 and so rules error 
>
> To be clear, my example code ran first try?  Does snort continue to throw that error? 
>
> ~Patrick 
>
> FROM: James Lay <jlay () slave-tothe-box net> 
>
> Ran like a champ: 
>
> <snip screenshot> 
>
> now we're having some fun! 
>
> James 
>
> On 2018-06-13 09:20, Patrick Mullen (pamullen) wrote:
>
> > James, 
> >
> > Here's a quick test.  If this doesn't work, then install whatever google tells you and it should fix the snort 
> > loading problem.  If it does, then I'm a little confused and we'll have to look into this further.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists snort org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette