Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
net-analyzer/snort-2.9.0 and DAQ libraries in Bugzilla
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
wallace1819
Apprentice
Apprentice


Joined: 17 Aug 2002
Posts: 195
Location: VT

PostPosted: Thu Oct 14, 2010 6:30 pm    Post subject: net-analyzer/snort-2.9.0 and DAQ libraries in Bugzilla Reply with quote

I have posted a new ebuild for the latest version of snort.

https://bugs.gentoo.org/show_bug.cgi?id=341013

I have also added a new ebuild for Snort's new Data Acquisition library (DAQ). Snort no longer makes direct calls to libpcap for
packet I/O. These new libraries are required to build snort-2.9.0 and later.

https://bugs.gentoo.org/show_bug.cgi?id=341009

Currently the PCAP, AFpacket, and Dump DAQ's are supported. I have to work with maintainer of the iptables ebuild in order to support the IPQ and NFQ DAQ's, so these will be added later.

If you have any questions, problems, or suggestions for the ebuilds, please post to the bug.

Thx,
Wally
_________________
--


@XXXXXX{====================>
They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety.

- Benjamin Franklin, 1755
Back to top
View user's profile Send private message
DrWilken
Apprentice
Apprentice


Joined: 12 Dec 2003
Posts: 219
Location: Oelsted ("BeerPlace"), Denmark

PostPosted: Wed Nov 03, 2010 8:28 pm    Post subject: Reply with quote

Hi,

I just updated snort to 2.9.0.1 (and unmasked net-libs/daq-0.3).

I'm unable to start snort now:
Code:

Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..


Any ideas?
_________________
-=[DrWilken]=-
ASUS AT5IONT-I (64bit Dual Core Atom D525 processor with Nvidia ION(2) GPU) running Gentoo Linux... Latest and Greatest... :)
tux-power.dk
Back to top
View user's profile Send private message
DrWilken
Apprentice
Apprentice


Joined: 12 Dec 2003
Posts: 219
Location: Oelsted ("BeerPlace"), Denmark

PostPosted: Thu Nov 04, 2010 7:23 pm    Post subject: Reply with quote

Weird,

I checked which USE flags I had set for daq and I had pcap but /usr/lib64/daq didn't exist.

I then added both pcap, dump and afpacket USE flags in /etc/portage/package.use and then recompiled daq and snort.

I've now verified that the modules existed in /usr/lib64/daq:
Code:

mainframe snort # ls -l /usr/lib64/daq/
total 60
-rwxr-xr-x 1 root root   959 Nov  4 20:07 daq_afpacket.la
-rwxr-xr-x 1 root root 18504 Nov  4 20:07 daq_afpacket.so
-rwxr-xr-x 1 root root   912 Nov  4 20:07 daq_dump.la
-rwxr-xr-x 1 root root 10272 Nov  4 20:07 daq_dump.so
-rwxr-xr-x 1 root root   912 Nov  4 20:07 daq_pcap.la
-rwxr-xr-x 1 root root 14424 Nov  4 20:07 daq_pcap.so


snort.conf was also OK:
Code:

mainframe snort # grep daq snort.conf
# daq
config daq: pcap
config daq_mode: passive
config daq_dir: /usr/lib64/daq/


...EDIT...

Permission on the snort binary had been changed to root so that's why I couldn't start it via the init script (which runs it as the snort user).

I've corrected the permissions, but it still seems like there's a problem with the USE flags as noted above.
_________________
-=[DrWilken]=-
ASUS AT5IONT-I (64bit Dual Core Atom D525 processor with Nvidia ION(2) GPU) running Gentoo Linux... Latest and Greatest... :)
tux-power.dk


Last edited by DrWilken on Sat Nov 13, 2010 8:42 pm; edited 2 times in total
Back to top
View user's profile Send private message
pinion
n00b
n00b


Joined: 11 Feb 2006
Posts: 47

PostPosted: Sat Nov 13, 2010 8:32 pm    Post subject: Reply with quote

DrWilken wrote:
Weird,

I checked which USE flags I had set for daq and I had pcap but /usr/lib64/daq didn't exist.

I then added both pcap, dump and afpacket USE flags in /etc/portage/package.use and then recompiled daq and snort.

I've now verified that the modules existed in /usr/lib64/daq:
...


I noticed the same problem. It seems the daq ebuild may have some issues. Emerging daq with afpacket, dump, and pcap was the only way I could get anything to show up for daq in /usr/lib64/
Back to top
View user's profile Send private message
DrWilken
Apprentice
Apprentice


Joined: 12 Dec 2003
Posts: 219
Location: Oelsted ("BeerPlace"), Denmark

PostPosted: Sat Nov 13, 2010 8:46 pm    Post subject: Reply with quote

Just had a look at the ebuild for net-libs/daq-0.3 (/usr/portage/net-libs/daq/daq-0.3.ebuild) and I'm not sure but doesn't this look wrong?
Code:

...
IUSE="ipv6 afpacket dump +pcap"

DEPEND="pcap? ( >=net-libs/libpcap-1.0.0 )
        dump? ( >=net-libs/libpcap-1.0.0 )"

RDEPEND="${DEPEND}"

src_configure() {

    econf \
        $(use_enable ipv6) \
        $(use_enable pcap pcap-module) \
        $(use_enable afpacket afpacket-module) \
        $(use_enable dump dump-module) \
        --disable-ipfw-module \
        --disable-bundled-modules

}
...

_________________
-=[DrWilken]=-
ASUS AT5IONT-I (64bit Dual Core Atom D525 processor with Nvidia ION(2) GPU) running Gentoo Linux... Latest and Greatest... :)
tux-power.dk
Back to top
View user's profile Send private message
pinion
n00b
n00b


Joined: 11 Feb 2006
Posts: 47

PostPosted: Sun Nov 14, 2010 2:28 am    Post subject: Reply with quote

DrWilken wrote:
Just had a look at the ebuild for net-libs/daq-0.3 (/usr/portage/net-libs/daq/daq-0.3.ebuild) and I'm not sure but doesn't this look wrong?
Code:

...
IUSE="ipv6 afpacket dump +pcap"

DEPEND="pcap? ( >=net-libs/libpcap-1.0.0 )
        dump? ( >=net-libs/libpcap-1.0.0 )"

RDEPEND="${DEPEND}"

src_configure() {

    econf \
        $(use_enable ipv6) \
        $(use_enable pcap pcap-module) \
        $(use_enable afpacket afpacket-module) \
        $(use_enable dump dump-module) \
        --disable-ipfw-module \
        --disable-bundled-modules

}
...


I agree, it looks fine. I apologize for blaming the ebuild without looking at it. It is interesting that in order to build the daq pcap library we needed to build all the daq libraries. Perhaps it needs more testing.
Back to top
View user's profile Send private message
wallace1819
Apprentice
Apprentice


Joined: 17 Aug 2002
Posts: 195
Location: VT

PostPosted: Mon Nov 15, 2010 3:27 pm    Post subject: Weird Reply with quote

I've taken a look at this. The problem does appear to be related to the actual DAQ package and not the ebuild. It appears that if you only build the pcap module nothing actually gets built. Both afpacket and dump appear to be working correctly. For now if you want to use the pcap DAQ module just make sure that either the afpacket or the dump USE flag is set as well. I'll submit a bug upstream for this.
_________________
--


@XXXXXX{====================>
They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety.

- Benjamin Franklin, 1755
Back to top
View user's profile Send private message
pinion
n00b
n00b


Joined: 11 Feb 2006
Posts: 47

PostPosted: Mon Nov 15, 2010 6:58 pm    Post subject: Re: Weird Reply with quote

wallace1819 wrote:
I've taken a look at this. The problem does appear to be related to the actual DAQ package and not the ebuild. It appears that if you only build the pcap module nothing actually gets built. Both afpacket and dump appear to be working correctly. For now if you want to use the pcap DAQ module just make sure that either the afpacket or the dump USE flag is set as well. I'll submit a bug upstream for this.


Awesome, thanks for the hard work testing it. I just built all the packages to get pcap to work :)
Back to top
View user's profile Send private message
norg
Tux's lil' helper
Tux's lil' helper


Joined: 23 Aug 2010
Posts: 104
Location: Augsburg (Germany)

PostPosted: Tue Jun 21, 2011 2:50 pm    Post subject: Reply with quote

I'm having the same error here, but i can't get it fixed with the init script.

I use snort 2.9.0.5 (decoder-preprocessor-rules dynamicplugin ipv6 threads zlib), daq 0.5 (afpacket dump ipv6 pcap), libpcap (bluetooth ipv6).

When i start snort with -c /etc/snort/snort.conf it's working as i added the three lines for daq as mentioned here. But without it, the can't find pcap DAQ error occurs. So i thought the system doesn't use the snort.conf per default. But how can i get this working without using -c all the time? In the /etc/conf.d/snort is CONF="/etc/snort/snort.conf" and SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF". But when i use /etc/init.d/snort start and then status it says crashed. When i run the start command from the init script i get the can't find daq error again although checkconfig is working. Any ideas?
Back to top
View user's profile Send private message
jamiller
n00b
n00b


Joined: 02 Nov 2011
Posts: 1

PostPosted: Wed Nov 02, 2011 5:24 pm    Post subject: Reply with quote

I had this problem too, and spent ages on it because I did not read the forum properly.

As stated above, I fixed it by:

adding the suggested use flags to /etc/portage/package.use
net-libs/daq pcap dump afpacket

adding the following to snort.conf
# daq
config daq: pcap
config daq_mode: passive
config daq_dir: /usr/lib64/daq/

I guess it was the latter that was missing, but I am not sure.

Jonathan
Back to top
View user's profile Send private message
Jacekalex
Guru
Guru


Joined: 17 Sep 2009
Posts: 553

PostPosted: Fri May 11, 2012 2:59 pm    Post subject: Reply with quote

I had the same problem with Snort 2.9.1
I solved it this way, the DAQ and snort compiled manually by adding the option to configure snort path DAQ libraries and headers
Code:
. / configure {options} - with-DAQ-libraries = / usr/lib64 - with-DAQ-includes = / usr / include


Compiled in this way works, I wonder if will work with snorsam, and I'll add him snortsam.patch.

Cheers
8)
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Fri Aug 31, 2012 5:01 pm    Post subject: Reply with quote

The thread is on snort mailing list. It is called.
"ERROR: Can't find pcap DAQ!"
http://seclists.org/snort/2012/q1/89

I seem to have managed to start snort, adding an option more to the ones resulting to be needed in the above conversations.
Namely it seems to be true that somehow the emerge'd snort just can't find daq no matter what... or something else is the matter, but to that effect.

My working command only began to make snort work after I added, on top of the recommendations in the previous posts,
the option:
Code:
 --daq-dir /usr/lib64/daq/

I mean, regardless it being there in the snort.conf. It just never mattered it was there, you know!
So this seems to work here:
Code:
snort -c /etc/snort/snort.conf  --daq pcap  --daq-dir /usr/lib64/daq/ --daq-mode passive -i  eth0

I don't mean I'm done with snort, but this much I managed at this time.
Cheers!
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Fri Aug 31, 2012 5:19 pm    Post subject: Reply with quote

The thread is on snort mailing list. It is called.
"ERROR: Can't find pcap DAQ!"
http://seclists.org/snort/2012/q1/89

I seem to have managed to start snort, adding an option more to the ones resulting to be needed in the above conversations.
Namely it seems to be true that somehow the emerge'd snort just can't find daq no matter what... or something else is the matter, but to that effect.

My working command only began to make snort work after I added, on top of the recommendations in the previous posts,
the option:
Code:
 --daq-dir /usr/lib64/daq/

I mean, regardless it being there in the snort.conf. It just never mattered it was there, you know!
So this seems to work here:
Code:
snort -c /etc/snort/snort.conf  --daq pcap  --daq-dir /usr/lib64/daq/ --daq-mode passive -i  eth0

I don't mean I'm done with snort, but this much I managed at this time.
Cheers!
P.S. I forgot to mention. As root, else it complained. I only can start it as root. As user I get the complaint:
Code:
ERROR: Can't start DAQ (-1) - socket: Operation not permitted!

And there were other problems like that, with:
pulledpork.pl
which could't write in /etc/snort/rules and such, and neiter in /var/log/snort ...
On a sidenote, I didn't mind acquiring oinkcode if I can use this, as they say, fine program to my benefit.
As much as pulledpork.pl goes, I only managed to get it to work at all, let alone to download rules and all, after I stuck somewhere in the perl path the manually compiled deprecated Switch.pm module.
Compiled, but wouldn't be done the
Code:
perl -MCPAN -e 'install Switch'

way, because it failed in two or so of a few hundred tests, and that is the only thing I did by hand.
I hope ebuilds will improve on this snort program and associates! I am just a user and depend on developers and am thankful to them for their work :?
Back to top
View user's profile Send private message
miroR
l33t
l33t


Joined: 05 Mar 2008
Posts: 826

PostPosted: Wed Sep 05, 2012 11:30 pm    Post subject: Reply with quote

The above what I wrote is not all the best way to go.
E.g., I think:
Code:
emerge oinkmaster
actually:
Code:
emerge -qavtuDN oinkmaster
is what I invariably do when needed it's best, when not, it doesn't hurt.
But oinkmaster is better than pulledpork.pl, at this time.
Unless they fixed it in the meantime like adodb below.
However, snort now works here.
Never touched the conf of it in 2-3 days, as it took me that time to figure other necessities out for the base/adodb things to work...
But snort works. Upon physically connecting my home router to internet to reedit this post (on the slow Tor I needed to relog two more times while reediting this! the price of learning anonymity, not that I need it, but I hate surveillance! see:
https://forums.gentoo.org/viewtopic-p-7125428.html#7125428
), I entered:
Code:
snort -c /etc/snort/snort.conf -dev -b

Need still " -c /etc/snort/snort.conf", but the daq settings are being read from the conf file.
And I can't even recall my tentatives and attempts. Quite too many!
Basically, this guide, however old, is mostly the way to go, but of course, not to be followed literally, but adapted to newer versions where applicable:
https://forums.gentoo.org/viewtopic-t-399801.html
But it's GNU Linux, so some things just work in all these years! Without a change! Without a change! Like the program called base!
http://base.secureideas.net/
There's adodb518.zip freshly released yesterday that works with php5.4 of the day.
And they released if just a day too late for me, just after I installed php5.3 because adodb517 wouldn't work on the 5.4...
Oh, well, at least I learned the PHP_TARGETS story and eselect php whatever ways of doing it... Never mind I don't need it at this time...
Don't, I think, dont' emerge adodb.
adodb just needs be unpacked, or maybe little else, and given its directory path to base.
You need to put this into the right (in my case /etc/php/apache2-php5.4/php.ini as I explained above) php.ini file:
Code:
date.timezone = Europe/Zagreb

Sure, use your own timezone.
Also:
Code:
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

else you get warnings too many.
I really don't remember right now all I went through. I remember I was slamming doors and shouting at invisible torturers behind the disobedient programs and code... and getting very exhausted and depressed at times, and near nerve wrecked... but I'm fine now...
I hope this saves some of your woes, readers!
I can tell you its' great to see clearly who you're being connecting and connected to while you browse the net!
And stowed away in a database!
Just as example. I am conneting forums.gentoo.org through Tor.
And tell me, even if I did learn all the hex things and associates, how long would it take me to figure out the hops of the connection, when there, in some 10 sec that Tor needed to open the page, I got, free estimate for descriptive purposes, some 5 tousand more output than this arbitrarily chosen snippet:
Code:
B8 1D D2 49 57 40 64 B3 BB D2 FE 79 8B 6F D0 DF  ...IW@d....y.o..
AE 19 4F 96 40 46 41 F4 F4 48 BB E3 E0 C9 D5 FC  ..O.@FA..H......
F2 BE 6B 51 CD 97 82 EC 01 0D 23 53 2E E9 55 2D  ..kQ......#S..U-

I might be back to say a conclusion (didn't connect anywhere else, hope it got saved fine, and hope to be able to see it and learn more how it works watching it in the browser).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum