net-analyzer/snort-2.9.0 and DAQ libraries in Bugzilla

[wallace1819]

I have posted a new ebuild for the latest version of snort.

http://bugs.gentoo.org/show_bug.cgi?id=341013

I have also added a new ebuild for Snort's new Data Acquisition library (DAQ). Snort no longer makes direct calls to libpcap for
packet I/O. These new libraries are required to build snort-2.9.0 and later.

http://bugs.gentoo.org/show_bug.cgi?id=341009

Currently the PCAP, AFpacket, and Dump DAQ's are supported. I have to work with maintainer of the iptables ebuild in order to support the IPQ and NFQ DAQ's, so these will be added later.

If you have any questions, problems, or suggestions for the ebuilds, please post to the bug.

Thx,
Wally

[DrWilken]

Hi,

I just updated snort to 2.9.0.1 (and unmasked net-libs/daq-0.3).

I'm unable to start snort now:

Code: Select all

Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..

Any ideas?

[DrWilken]

Weird,

I checked which USE flags I had set for daq and I had pcap but /usr/lib64/daq didn't exist.

I then added both pcap, dump and afpacket USE flags in /etc/portage/package.use and then recompiled daq and snort.

I've now verified that the modules existed in /usr/lib64/daq:

Code: Select all

mainframe snort # ls -l /usr/lib64/daq/
total 60
-rwxr-xr-x 1 root root   959 Nov  4 20:07 daq_afpacket.la
-rwxr-xr-x 1 root root 18504 Nov  4 20:07 daq_afpacket.so
-rwxr-xr-x 1 root root   912 Nov  4 20:07 daq_dump.la
-rwxr-xr-x 1 root root 10272 Nov  4 20:07 daq_dump.so
-rwxr-xr-x 1 root root   912 Nov  4 20:07 daq_pcap.la
-rwxr-xr-x 1 root root 14424 Nov  4 20:07 daq_pcap.so

snort.conf was also OK:

Code: Select all

mainframe snort # grep daq snort.conf
# daq
config daq: pcap
config daq_mode: passive
config daq_dir: /usr/lib64/daq/

...EDIT...

Permission on the snort binary had been changed to root so that's why I couldn't start it via the init script (which runs it as the snort user).

I've corrected the permissions, but it still seems like there's a problem with the USE flags as noted above.

[pinion]

Weird,

I checked which USE flags I had set for daq and I had pcap but /usr/lib64/daq didn't exist.

I then added both pcap, dump and afpacket USE flags in /etc/portage/package.use and then recompiled daq and snort.

I've now verified that the modules existed in /usr/lib64/daq:
...

I noticed the same problem. It seems the daq ebuild may have some issues. Emerging daq with afpacket, dump, and pcap was the only way I could get anything to show up for daq in /usr/lib64/

[DrWilken]

Just had a look at the ebuild for net-libs/daq-0.3 (/usr/portage/net-libs/daq/daq-0.3.ebuild) and I'm not sure but doesn't this look wrong?

Code: Select all

...
IUSE="ipv6 afpacket dump +pcap"

DEPEND="pcap? ( >=net-libs/libpcap-1.0.0 )
        dump? ( >=net-libs/libpcap-1.0.0 )"

RDEPEND="${DEPEND}"

src_configure() {

    econf \
        $(use_enable ipv6) \
        $(use_enable pcap pcap-module) \
        $(use_enable afpacket afpacket-module) \
        $(use_enable dump dump-module) \
        --disable-ipfw-module \
        --disable-bundled-modules

}
...

[pinion]

Just had a look at the ebuild for net-libs/daq-0.3 (/usr/portage/net-libs/daq/daq-0.3.ebuild) and I'm not sure but doesn't this look wrong?

Code: Select all

...
IUSE="ipv6 afpacket dump +pcap"

DEPEND="pcap? ( >=net-libs/libpcap-1.0.0 )
        dump? ( >=net-libs/libpcap-1.0.0 )"

RDEPEND="${DEPEND}"

src_configure() {

    econf \
        $(use_enable ipv6) \
        $(use_enable pcap pcap-module) \
        $(use_enable afpacket afpacket-module) \
        $(use_enable dump dump-module) \
        --disable-ipfw-module \
        --disable-bundled-modules

}
...

I agree, it looks fine. I apologize for blaming the ebuild without looking at it. It is interesting that in order to build the daq pcap library we needed to build all the daq libraries. Perhaps it needs more testing.

[wallace1819]

I've taken a look at this. The problem does appear to be related to the actual DAQ package and not the ebuild. It appears that if you only build the pcap module nothing actually gets built. Both afpacket and dump appear to be working correctly. For now if you want to use the pcap DAQ module just make sure that either the afpacket or the dump USE flag is set as well. I'll submit a bug upstream for this.

[pinion]

I've taken a look at this. The problem does appear to be related to the actual DAQ package and not the ebuild. It appears that if you only build the pcap module nothing actually gets built. Both afpacket and dump appear to be working correctly. For now if you want to use the pcap DAQ module just make sure that either the afpacket or the dump USE flag is set as well. I'll submit a bug upstream for this.

Awesome, thanks for the hard work testing it. I just built all the packages to get pcap to work

[norg]

I'm having the same error here, but i can't get it fixed with the init script.

I use snort 2.9.0.5 (decoder-preprocessor-rules dynamicplugin ipv6 threads zlib), daq 0.5 (afpacket dump ipv6 pcap), libpcap (bluetooth ipv6).

When i start snort with -c /etc/snort/snort.conf it's working as i added the three lines for daq as mentioned here. But without it, the can't find pcap DAQ error occurs. So i thought the system doesn't use the snort.conf per default. But how can i get this working without using -c all the time? In the /etc/conf.d/snort is CONF="/etc/snort/snort.conf" and SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF". But when i use /etc/init.d/snort start and then status it says crashed. When i run the start command from the init script i get the can't find daq error again although checkconfig is working. Any ideas?

[jamiller]

I had this problem too, and spent ages on it because I did not read the forum properly.

As stated above, I fixed it by:

adding the suggested use flags to /etc/portage/package.use
net-libs/daq pcap dump afpacket

adding the following to snort.conf
# daq
config daq: pcap
config daq_mode: passive
config daq_dir: /usr/lib64/daq/

I guess it was the latter that was missing, but I am not sure.

Jonathan

[Jacekalex]

I had the same problem with Snort 2.9.1
I solved it this way, the DAQ and snort compiled manually by adding the option to configure snort path DAQ libraries and headers

Code: Select all

. / configure {options} - with-DAQ-libraries = / usr/lib64 - with-DAQ-includes = / usr / include

Compiled in this way works, I wonder if will work with snorsam, and I'll add him snortsam.patch.

Cheers

[miroR]

The thread is on snort mailing list. It is called.
"ERROR: Can't find pcap DAQ!"
http://seclists.org/snort/2012/q1/89

I seem to have managed to start snort, adding an option more to the ones resulting to be needed in the above conversations.
Namely it seems to be true that somehow the emerge'd snort just can't find daq no matter what... or something else is the matter, but to that effect.

My working command only began to make snort work after I added, on top of the recommendations in the previous posts,
the option:

Code: Select all

 --daq-dir /usr/lib64/daq/

I mean, regardless it being there in the snort.conf. It just never mattered it was there, you know!
So this seems to work here:

Code: Select all

snort -c /etc/snort/snort.conf  --daq pcap  --daq-dir /usr/lib64/daq/ --daq-mode passive -i  eth0

I don't mean I'm done with snort, but this much I managed at this time.
Cheers!

[miroR]

The thread is on snort mailing list. It is called.
"ERROR: Can't find pcap DAQ!"
http://seclists.org/snort/2012/q1/89

I seem to have managed to start snort, adding an option more to the ones resulting to be needed in the above conversations.
Namely it seems to be true that somehow the emerge'd snort just can't find daq no matter what... or something else is the matter, but to that effect.

My working command only began to make snort work after I added, on top of the recommendations in the previous posts,
the option:

Code: Select all

 --daq-dir /usr/lib64/daq/

I mean, regardless it being there in the snort.conf. It just never mattered it was there, you know!
So this seems to work here:

Code: Select all

snort -c /etc/snort/snort.conf  --daq pcap  --daq-dir /usr/lib64/daq/ --daq-mode passive -i  eth0

I don't mean I'm done with snort, but this much I managed at this time.
Cheers!
P.S. I forgot to mention. As root, else it complained. I only can start it as root. As user I get the complaint:

Code: Select all

ERROR: Can't start DAQ (-1) - socket: Operation not permitted!

And there were other problems like that, with:
pulledpork.pl
which could't write in /etc/snort/rules and such, and neiter in /var/log/snort ...
On a sidenote, I didn't mind acquiring oinkcode if I can use this, as they say, fine program to my benefit.
As much as pulledpork.pl goes, I only managed to get it to work at all, let alone to download rules and all, after I stuck somewhere in the perl path the manually compiled deprecated Switch.pm module.
Compiled, but wouldn't be done the

Code: Select all

perl -MCPAN -e 'install Switch'

way, because it failed in two or so of a few hundred tests, and that is the only thing I did by hand.
I hope ebuilds will improve on this snort program and associates! I am just a user and depend on developers and am thankful to them for their work

[miroR]

The above what I wrote is not all the best way to go.
E.g., I think:

Code: Select all

emerge oinkmaster

actually:

Code: Select all

emerge -qavtuDN oinkmaster

is what I invariably do when needed it's best, when not, it doesn't hurt.
But oinkmaster is better than pulledpork.pl, at this time.
Unless they fixed it in the meantime like adodb below.
However, snort now works here.
Never touched the conf of it in 2-3 days, as it took me that time to figure other necessities out for the base/adodb things to work...
But snort works. Upon physically connecting my home router to internet to reedit this post (on the slow Tor I needed to relog two more times while reediting this! the price of learning anonymity, not that I need it, but I hate surveillance! see:
viewtopic-p-7125428.html#7125428
), I entered:

Code: Select all

snort -c /etc/snort/snort.conf -dev -b

Need still " -c /etc/snort/snort.conf", but the daq settings are being read from the conf file.
And I can't even recall my tentatives and attempts. Quite too many!
Basically, this guide, however old, is mostly the way to go, but of course, not to be followed literally, but adapted to newer versions where applicable:
viewtopic-t-399801.html
But it's GNU Linux, so some things just work in all these years! Without a change! Without a change! Like the program called base!
http://base.secureideas.net/
There's adodb518.zip freshly released yesterday that works with php5.4 of the day.
And they released if just a day too late for me, just after I installed php5.3 because adodb517 wouldn't work on the 5.4...
Oh, well, at least I learned the PHP_TARGETS story and eselect php whatever ways of doing it... Never mind I don't need it at this time...
Don't, I think, dont' emerge adodb.
adodb just needs be unpacked, or maybe little else, and given its directory path to base.
You need to put this into the right (in my case /etc/php/apache2-php5.4/php.ini as I explained above) php.ini file:

Code: Select all

date.timezone = Europe/Zagreb

Sure, use your own timezone.
Also:

Code: Select all

error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

else you get warnings too many.
I really don't remember right now all I went through. I remember I was slamming doors and shouting at invisible torturers behind the disobedient programs and code... and getting very exhausted and depressed at times, and near nerve wrecked... but I'm fine now...
I hope this saves some of your woes, readers!
I can tell you its' great to see clearly who you're being connecting and connected to while you browse the net!
And stowed away in a database!
Just as example. I am conneting forums.gentoo.org through Tor.
And tell me, even if I did learn all the hex things and associates, how long would it take me to figure out the hops of the connection, when there, in some 10 sec that Tor needed to open the page, I got, free estimate for descriptive purposes, some 5 tousand more output than this arbitrarily chosen snippet:

Code: Select all

B8 1D D2 49 57 40 64 B3 BB D2 FE 79 8B 6F D0 DF  ...IW@d....y.o..
AE 19 4F 96 40 46 41 F4 F4 48 BB E3 E0 C9 D5 FC  ..O.@FA..H......
F2 BE 6B 51 CD 97 82 EC 01 0D 23 53 2E E9 55 2D  ..kQ......#S..U-

I might be back to say a conclusion (didn't connect anywhere else, hope it got saved fine, and hope to be able to see it and learn more how it works watching it in the browser).