Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Phil Wood Libpcap Installation Problems

from [Darryl Taylor] Network Security [Permanent Link]
Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems
Date: Thu, 01 Feb 2007 13:13:13 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just helped someone else with this problem. CentOS doesn't install bison
by default. If you look at your configure output for libpcap you will
note that it uses lex/yacc instead of flex/bison. Ensure flex and bison
are installed and you should be good to go. Let me know if that doesn't
work and I will work on it.


Darryl Taylor
Security Engineer
SOURCEfire

Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
Key: http://demo.sourcefire.com/dtaylor.pgp.key




Gentoo-Wally wrote:

I'm coming a little late to the party, but I just had a similar
problem. I was trying to compile snort with a libpcap that uses pfring
as the ring buffer (similar to Phil Wood's stuff) and I am also using
CentOS 4 with a slightly modified 2.6.9-42.0.3.EL kernel (same as
Jesse). This is what I found...

libpcap stuff from /usr/local/src/libpcap-0.9.4...

[root@localhost libpcap-0.9.4]# ./configure --enable-ipv6
[root@localhost libpcap-0.9.4]# make
[root@localhost libpcap-0.9.4]# gcc -shared -Wl,-soname
-Wl,libpcap.so.`cat VERSION` -o libpcap.so.`cat VERSION` *.o -lc
[root@localhost libpcap-0.9.4]# make install && cp libpcap.so.0.9.4
/usr/local/lib
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so.0
[root@localhost libpcap-0.9.4]# ln -s /usr/local/lib/libpcap.so.0.9.4
/usr/local/lib/libpcap.so.0.9

Giving me the following setup...

[root@localhost libpcap-0.9.4]# ls -l /usr/local/lib/
total 372
-rw-r--r--  1 root root 186300 Jan 31 14:21 libpcap.a
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so ->
/usr/local/lib/libpcap.so.0.9.4
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so.0 ->
/usr/local/lib/libpcap.so.0.9.4
lrwxrwxrwx  1 root root     31 Jan 31 14:24 libpcap.so.0.9 ->
/usr/local/lib/libpcap.so.0.9.4
-rwxr-xr-x  1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4

[root@localhost libpcap-0.9.4]# echo "/usr/local/lib" >> /etc/ld.so.conf
[root@localhost libpcap-0.9.4]# ldconfig -v |grep pcap
        libpcap.so.0.9.4 -> libpcap.so.0.9.4
        libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5

Just for reference...

[root@localhost libpcap-0.9.4]# ls -l /usr/lib/libpcap*
lrwxrwxrwx  1 root root     23 Jan 29 16:34 /usr/lib/libpcap-nessus.so
-> libpcap-nessus.so.2.2.5
lrwxrwxrwx  1 root root     23 Jan 29 16:34
/usr/lib/libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5
-rwxr-xr-x  1 root root 175953 Jan  4 11:34 /usr/lib/libpcap-nessus.so.2.2.5

Now when I try to compile snort from /usr/local/src/snort-2.6.0...

[root@localhost snort-2.6.0]# ./configure --enable-dynamicplugin
--enable-timestats --enable-perfprofiling --enable-linux-smp-stats
--with-libpcap-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib

Like Jesse's case, it complains...

[...]
checking for strerror... yes
checking for __FUNCTION__... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... no

   ERROR!  Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place

What makes this really weird is that if I delete just the symlinks for
the shared lib's...

[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so
[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0
[root@localhost snort-2.6.0]# rm -rf /usr/local/lib/libpcap.so.0.9
[root@localhost snort-2.6.0]# ls -l /usr/local/lib/
total 372
-rw-r--r--  1 root root 186300 Jan 31 14:21 libpcap.a
-rwxr-xr-x  1 root root 181638 Jan 31 14:22 libpcap.so.0.9.4
[root@localhost snort-2.6.0]# ldconfig -v |grep pcap
        libpcap.so.0.9.4 -> libpcap.so.0.9.4
        libpcap-nessus.so.2 -> libpcap-nessus.so.2.2.5

And then rerun the exact same ./configure for snort that I ran before
it configures and compiles without complaint.

I thought I'd take this a step further. I ran the _exact_ same test
with a stock libpcap-0.9.4 downloaded from www.tcpdump.org _without_
any pfring stuff and even with the symlinks it configures and compiles
without complaint. Then I removed that and ran the _exact_ same test
with the version of libpcap I pulled with 'yum install libpcap' which
also sets up the symlinks. Only difference is it uses /usr/lib instead
of /usr/local/lib. It also configures and compiles without complaint.

Sounds like there might be a problem with the function in configure
that checks for pcap_datalink in the pcap library when dealing with
nonstandard/patched libpcaps that use shared libraries and symlinks.
Or maybe the culprit is CentOS 4 since we are both using that.

I have no idea how AC_CHECK_LIB in configure actually performs the
check, but I do know that pcap_datalink does exist in a pfring enabled
libpcap...

[root@localhost snort-2.6.0]# grep pcap_datalink /usr/local/lib/libpcap.a
Binary file /usr/local/lib/libpcap.a matches
[root@localhost snort-2.6.0]# grep pcap_datalink
/usr/local/lib/libpcap.so.0.9.4
Binary file /usr/local/lib/libpcap.so.0.9.4 matches

Hope this helps,
Wally




On 1/24/07, Darryl Taylor <darryl.taylor@sourcefire.com> wrote:
I just did a complete install as follows on my Dual Opteron running
Gentoo 2.6.17-r8:

libpcap (Phil Woods)
./configure --enable-shared
make
sudo make install

(ensure /usr/local/lib is in ld.so.conf)
sudo ldconfig



snort (with the options I use)
./configure --with-libpcap-library=/usr/local/lib --enable-debug \
--enable-perfprofiling --enable-dynamicplugin
make
sudo make install

ldd /usr/local/bin/snort
        libpcre.so.0 => /usr/lib/libpcre.so.0 (0x00002b3e9220e000)
        libpcap-0.9.3.so => /usr/local/lib/libpcap-0.9.3.so
(0x00002b3e9232a000)
        libm.so.6 => /lib/libm.so.6 (0x00002b3e92459000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00002b3e925af000)
        libdl.so.2 => /lib/libdl.so.2 (0x00002b3e926c5000)
        libc.so.6 => /lib/libc.so.6 (0x00002b3e927c9000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b3e920f2000)

After this I had a working snort-2.6.1.2.


Darryl Taylor


IT Security wrote:

I recompiled libpcap to use shared libraries and now have the following
in /usr/lib:

lrwxrwxrwx  1 root root     16 Jan 23 08:56 /usr/lib/libpcap-0.8.3.so ->
libpcap-0.9.3.so
-rwxr-xr-x  1 root root 375850 Jan 23 09:00 /usr/lib/libpcap-0.9.3.so
-rw-r--r--  1 root root 483168 Jan 23 09:00 /usr/lib/libpcap.a
-rwxr-xr-x  1 root root    792 Jan 23 09:00 /usr/lib/libpcap.la
lrwxrwxrwx  1 root root     16 Jan 23 09:00 /usr/lib/libpcap.so ->
libpcap-0.9.3.so
lrwxrwxrwx  1 root root     16 Jan 23 09:02 /usr/lib/libpcap.so.0 ->
libpcap-0.9.3.so
lrwxrwxrwx  1 root root     16 Jan 23 09:03 /usr/lib/libpcap.so.0.8 ->
libpcap-0.9.3.so
lrwxrwxrwx  1 root root     16 Jan 23 09:03 /usr/lib/libpcap.so.0.8.3 ->
libpcap-0.9.3.so

I added the symlinks for libpcap 0.8.3 with hopes that it would help,
but it didn't.

I have run ldconfig since reinstalling libpcap.

Attempting to recompile snort and tcpdump both end with the result of:

checking for strerror... yes
checking for __FUNCTION__... yes
checking for floor in -lm... yes
checking for pcap_datalink in -lpcap... no

   ERROR!  Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place

This makes me think that I'm missing something accosiated with libpcap.

Any more ideas?

Thanks in advance.

- Jesse





-----Original Message-----
From: snort-users-bounces@lists.sourceforge.net
[mailto:snort-users-bounces@lists.sourceforge.net] On Behalf Of IT
Security
Sent: Tuesday, January 23, 2007 8:11 AM
To: Darryl Taylor
Cc: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems

Darryl -

Tried with no luck.  Still get the same error.

./configure --with-libpcap-library=/usr/local/lib

Thanks for the assistance.

- Jesse



-----Original Message-----
From: Darryl Taylor [mailto:darryl.taylor@sourcefire.com]
Sent: Tuesday, January 23, 2007 8:00 AM
To: darryl.taylor@sourcefire.com
Cc: IT Security; snort-users-bounces@lists.sourceforge.net;
snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Phil Wood Libpcap Installation Problems

Sorry bout that. Needed a little more sleep. It should be
--with-libpcap-library=[your path]



Darryl Taylor
Security Engineer
SOURCEfire
Office: 404-474-8454
Cell:   404-783-2064
eFax:   404-521-4309

Fingerprint: AEA7 16DB 2DC3 0C3E 43A9 F1B6 E25A 6A7C 16F2 68B6
Key: http://demo.sourcefire.com/dtaylor.pgp.key




darryl.taylor@sourcefire.com wrote:

Try ./configure --with-libpcap=/usr/local when compiling snort. If it

still fails then the library was probably compiled statically. If that
is the case, post back and I will tell you how to make it a shared
object. I think I had this problem a few years ago.

Sent from my Verizon Wireless BlackBerry
-----Original Message-----
From: "IT Security" <ITSEC@24hourfit.com>
Date: Mon, 22 Jan 2007 17:46:59
To:<snort-users@lists.sourceforge.net>
Subject: [Snort-users] Phil Wood Libpcap Installation Problems
I'm trying to get Phil Wood's modified libpcap working on my Snort
2.6.1 sensor, but have run into some difficulties and hoping that
someone out there can help.
I've downloaded and extracted libpcap-0.9.20060417.tar.gz.  I then

run:

   ./configure
   make
   make install
I then downloaded and extracted snort-2.6.1.1.tar.gz.  I then run:
   ./configure
   make
That's where it blows up.  Here is the error:
<snip>
checking for pcap_datalink in -lpcap... no
   ERROR!  Libpcap library/headers not found, go get it from
   http://www.tcpdump.org
   or use the --with-libpcap-* options, if you have it installed
   in unusual place
</snip>
Any ideas why the headers would be missing?  Header files are
identified with the .h extension correct?  Where are these supposed to
reside on the system?
I'm running CentOS 4 with 2.6.9-42.0.3.EL kernel.
Thanks in advance.
- Jesse
----------------------------------------------------------------------
--- Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share
your opinions on IT & business topics through brief surveys - and earn
cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
DEV _______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
----------------------------------------------------------------------
--- Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share
your opinions on IT & business topics through brief surveys - and earn
cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEV
DEV _______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------
-
Take Surveys. Earn Cash. Influence the Future of IT Join
SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE
V
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



- -------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFwi254lpqfBbyaLYRAkMpAJwLwmChbLlb90feIpUMqFD6nm2PeQCfSbdd
IkeNrZb9zkB8MFjs3ihG6zA=
=X5KN
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Snort IPv6 – We Need Your Input, Adam Keeton
Next by Date:  [Snort-users] FW: Phil Wood Libpcap Installation Problems, IT Security
Previous by Thread:  Re: [Snort-users] Phil Wood Libpcap Installation Problems, Gentoo-Wally
Next by Thread:  Re: [Snort-users] Phil Wood Libpcap Installation Problems, Stephen John Smoogen
Indexes:  [Date] [Thread] [Top] [All Lists]