View previous topic :: View next topic |
Author |
Message |
wallace1819 Apprentice
Joined: 17 Aug 2002 Posts: 195 Location: VT
|
Posted: Thu Oct 14, 2010 6:30 pm Post subject: net-analyzer/snort-2.9.0 and DAQ libraries in Bugzilla |
|
|
I have posted a new ebuild for the latest version of snort.
https://bugs.gentoo.org/show_bug.cgi?id=341013
I have also added a new ebuild for Snort's new Data Acquisition library (DAQ). Snort no longer makes direct calls to libpcap for
packet I/O. These new libraries are required to build snort-2.9.0 and later.
https://bugs.gentoo.org/show_bug.cgi?id=341009
Currently the PCAP, AFpacket, and Dump DAQ's are supported. I have to work with maintainer of the iptables ebuild in order to support the IPQ and NFQ DAQ's, so these will be added later.
If you have any questions, problems, or suggestions for the ebuilds, please post to the bug.
Thx,
Wally _________________ --
@XXXXXX{====================>
They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety.
- Benjamin Franklin, 1755 |
|
Back to top |
|
|
DrWilken Apprentice
Joined: 12 Dec 2003 Posts: 219 Location: Oelsted ("BeerPlace"), Denmark
|
Posted: Wed Nov 03, 2010 8:28 pm Post subject: |
|
|
Hi,
I just updated snort to 2.9.0.1 (and unmasked net-libs/daq-0.3).
I'm unable to start snort now:
Code: |
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
ERROR: Can't find pcap DAQ!
Fatal Error, Quitting..
|
Any ideas? _________________ -=[DrWilken]=-
ASUS AT5IONT-I (64bit Dual Core Atom D525 processor with Nvidia ION(2) GPU) running Gentoo Linux... Latest and Greatest...
tux-power.dk |
|
Back to top |
|
|
DrWilken Apprentice
Joined: 12 Dec 2003 Posts: 219 Location: Oelsted ("BeerPlace"), Denmark
|
Posted: Thu Nov 04, 2010 7:23 pm Post subject: |
|
|
Weird,
I checked which USE flags I had set for daq and I had pcap but /usr/lib64/daq didn't exist.
I then added both pcap, dump and afpacket USE flags in /etc/portage/package.use and then recompiled daq and snort.
I've now verified that the modules existed in /usr/lib64/daq:
Code: |
mainframe snort # ls -l /usr/lib64/daq/
total 60
-rwxr-xr-x 1 root root 959 Nov 4 20:07 daq_afpacket.la
-rwxr-xr-x 1 root root 18504 Nov 4 20:07 daq_afpacket.so
-rwxr-xr-x 1 root root 912 Nov 4 20:07 daq_dump.la
-rwxr-xr-x 1 root root 10272 Nov 4 20:07 daq_dump.so
-rwxr-xr-x 1 root root 912 Nov 4 20:07 daq_pcap.la
-rwxr-xr-x 1 root root 14424 Nov 4 20:07 daq_pcap.so
|
snort.conf was also OK:
Code: |
mainframe snort # grep daq snort.conf
# daq
config daq: pcap
config daq_mode: passive
config daq_dir: /usr/lib64/daq/
|
...EDIT...
Permission on the snort binary had been changed to root so that's why I couldn't start it via the init script (which runs it as the snort user).
I've corrected the permissions, but it still seems like there's a problem with the USE flags as noted above. _________________ -=[DrWilken]=-
ASUS AT5IONT-I (64bit Dual Core Atom D525 processor with Nvidia ION(2) GPU) running Gentoo Linux... Latest and Greatest...
tux-power.dk
Last edited by DrWilken on Sat Nov 13, 2010 8:42 pm; edited 2 times in total |
|
Back to top |
|
|
pinion n00b
Joined: 11 Feb 2006 Posts: 47
|
Posted: Sat Nov 13, 2010 8:32 pm Post subject: |
|
|
DrWilken wrote: | Weird,
I checked which USE flags I had set for daq and I had pcap but /usr/lib64/daq didn't exist.
I then added both pcap, dump and afpacket USE flags in /etc/portage/package.use and then recompiled daq and snort.
I've now verified that the modules existed in /usr/lib64/daq:
...
|
I noticed the same problem. It seems the daq ebuild may have some issues. Emerging daq with afpacket, dump, and pcap was the only way I could get anything to show up for daq in /usr/lib64/ |
|
Back to top |
|
|
DrWilken Apprentice
Joined: 12 Dec 2003 Posts: 219 Location: Oelsted ("BeerPlace"), Denmark
|
Posted: Sat Nov 13, 2010 8:46 pm Post subject: |
|
|
Just had a look at the ebuild for net-libs/daq-0.3 (/usr/portage/net-libs/daq/daq-0.3.ebuild) and I'm not sure but doesn't this look wrong?
Code: |
...
IUSE="ipv6 afpacket dump +pcap"
DEPEND="pcap? ( >=net-libs/libpcap-1.0.0 )
dump? ( >=net-libs/libpcap-1.0.0 )"
RDEPEND="${DEPEND}"
src_configure() {
econf \
$(use_enable ipv6) \
$(use_enable pcap pcap-module) \
$(use_enable afpacket afpacket-module) \
$(use_enable dump dump-module) \
--disable-ipfw-module \
--disable-bundled-modules
}
...
|
_________________ -=[DrWilken]=-
ASUS AT5IONT-I (64bit Dual Core Atom D525 processor with Nvidia ION(2) GPU) running Gentoo Linux... Latest and Greatest...
tux-power.dk |
|
Back to top |
|
|
pinion n00b
Joined: 11 Feb 2006 Posts: 47
|
Posted: Sun Nov 14, 2010 2:28 am Post subject: |
|
|
DrWilken wrote: | Just had a look at the ebuild for net-libs/daq-0.3 (/usr/portage/net-libs/daq/daq-0.3.ebuild) and I'm not sure but doesn't this look wrong?
Code: |
...
IUSE="ipv6 afpacket dump +pcap"
DEPEND="pcap? ( >=net-libs/libpcap-1.0.0 )
dump? ( >=net-libs/libpcap-1.0.0 )"
RDEPEND="${DEPEND}"
src_configure() {
econf \
$(use_enable ipv6) \
$(use_enable pcap pcap-module) \
$(use_enable afpacket afpacket-module) \
$(use_enable dump dump-module) \
--disable-ipfw-module \
--disable-bundled-modules
}
...
|
|
I agree, it looks fine. I apologize for blaming the ebuild without looking at it. It is interesting that in order to build the daq pcap library we needed to build all the daq libraries. Perhaps it needs more testing. |
|
Back to top |
|
|
wallace1819 Apprentice
Joined: 17 Aug 2002 Posts: 195 Location: VT
|
Posted: Mon Nov 15, 2010 3:27 pm Post subject: Weird |
|
|
I've taken a look at this. The problem does appear to be related to the actual DAQ package and not the ebuild. It appears that if you only build the pcap module nothing actually gets built. Both afpacket and dump appear to be working correctly. For now if you want to use the pcap DAQ module just make sure that either the afpacket or the dump USE flag is set as well. I'll submit a bug upstream for this. _________________ --
@XXXXXX{====================>
They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety.
- Benjamin Franklin, 1755 |
|
Back to top |
|
|
pinion n00b
Joined: 11 Feb 2006 Posts: 47
|
Posted: Mon Nov 15, 2010 6:58 pm Post subject: Re: Weird |
|
|
wallace1819 wrote: | I've taken a look at this. The problem does appear to be related to the actual DAQ package and not the ebuild. It appears that if you only build the pcap module nothing actually gets built. Both afpacket and dump appear to be working correctly. For now if you want to use the pcap DAQ module just make sure that either the afpacket or the dump USE flag is set as well. I'll submit a bug upstream for this. |
Awesome, thanks for the hard work testing it. I just built all the packages to get pcap to work |
|
Back to top |
|
|
norg Tux's lil' helper
Joined: 23 Aug 2010 Posts: 104 Location: Augsburg (Germany)
|
Posted: Tue Jun 21, 2011 2:50 pm Post subject: |
|
|
I'm having the same error here, but i can't get it fixed with the init script.
I use snort 2.9.0.5 (decoder-preprocessor-rules dynamicplugin ipv6 threads zlib), daq 0.5 (afpacket dump ipv6 pcap), libpcap (bluetooth ipv6).
When i start snort with -c /etc/snort/snort.conf it's working as i added the three lines for daq as mentioned here. But without it, the can't find pcap DAQ error occurs. So i thought the system doesn't use the snort.conf per default. But how can i get this working without using -c all the time? In the /etc/conf.d/snort is CONF="/etc/snort/snort.conf" and SNORT_OPTS="-D -u snort -i $IFACE -l $LOGDIR -c $CONF". But when i use /etc/init.d/snort start and then status it says crashed. When i run the start command from the init script i get the can't find daq error again although checkconfig is working. Any ideas? |
|
Back to top |
|
|
jamiller n00b
Joined: 02 Nov 2011 Posts: 1
|
Posted: Wed Nov 02, 2011 5:24 pm Post subject: |
|
|
I had this problem too, and spent ages on it because I did not read the forum properly.
As stated above, I fixed it by:
adding the suggested use flags to /etc/portage/package.use
net-libs/daq pcap dump afpacket
adding the following to snort.conf
# daq
config daq: pcap
config daq_mode: passive
config daq_dir: /usr/lib64/daq/
I guess it was the latter that was missing, but I am not sure.
Jonathan |
|
Back to top |
|
|
Jacekalex Guru
Joined: 17 Sep 2009 Posts: 554
|
Posted: Fri May 11, 2012 2:59 pm Post subject: |
|
|
I had the same problem with Snort 2.9.1
I solved it this way, the DAQ and snort compiled manually by adding the option to configure snort path DAQ libraries and headers
Code: | . / configure {options} - with-DAQ-libraries = / usr/lib64 - with-DAQ-includes = / usr / include |
Compiled in this way works, I wonder if will work with snorsam, and I'll add him snortsam.patch.
Cheers
|
|
Back to top |
|
|
miroR l33t
Joined: 05 Mar 2008 Posts: 826
|
Posted: Fri Aug 31, 2012 5:01 pm Post subject: |
|
|
The thread is on snort mailing list. It is called.
"ERROR: Can't find pcap DAQ!"
http://seclists.org/snort/2012/q1/89
I seem to have managed to start snort, adding an option more to the ones resulting to be needed in the above conversations.
Namely it seems to be true that somehow the emerge'd snort just can't find daq no matter what... or something else is the matter, but to that effect.
My working command only began to make snort work after I added, on top of the recommendations in the previous posts,
the option:
Code: | --daq-dir /usr/lib64/daq/ |
I mean, regardless it being there in the snort.conf. It just never mattered it was there, you know!
So this seems to work here:
Code: | snort -c /etc/snort/snort.conf --daq pcap --daq-dir /usr/lib64/daq/ --daq-mode passive -i eth0 |
I don't mean I'm done with snort, but this much I managed at this time.
Cheers! |
|
Back to top |
|
|
miroR l33t
Joined: 05 Mar 2008 Posts: 826
|
Posted: Fri Aug 31, 2012 5:19 pm Post subject: |
|
|
The thread is on snort mailing list. It is called.
"ERROR: Can't find pcap DAQ!"
http://seclists.org/snort/2012/q1/89
I seem to have managed to start snort, adding an option more to the ones resulting to be needed in the above conversations.
Namely it seems to be true that somehow the emerge'd snort just can't find daq no matter what... or something else is the matter, but to that effect.
My working command only began to make snort work after I added, on top of the recommendations in the previous posts,
the option:
Code: | --daq-dir /usr/lib64/daq/ |
I mean, regardless it being there in the snort.conf. It just never mattered it was there, you know!
So this seems to work here:
Code: | snort -c /etc/snort/snort.conf --daq pcap --daq-dir /usr/lib64/daq/ --daq-mode passive -i eth0 |
I don't mean I'm done with snort, but this much I managed at this time.
Cheers!
P.S. I forgot to mention. As root, else it complained. I only can start it as root. As user I get the complaint:
Code: | ERROR: Can't start DAQ (-1) - socket: Operation not permitted! |
And there were other problems like that, with:
pulledpork.pl
which could't write in /etc/snort/rules and such, and neiter in /var/log/snort ...
On a sidenote, I didn't mind acquiring oinkcode if I can use this, as they say, fine program to my benefit.
As much as pulledpork.pl goes, I only managed to get it to work at all, let alone to download rules and all, after I stuck somewhere in the perl path the manually compiled deprecated Switch.pm module.
Compiled, but wouldn't be done the
Code: | perl -MCPAN -e 'install Switch' |
way, because it failed in two or so of a few hundred tests, and that is the only thing I did by hand.
I hope ebuilds will improve on this snort program and associates! I am just a user and depend on developers and am thankful to them for their work |
|
Back to top |
|
|
miroR l33t
Joined: 05 Mar 2008 Posts: 826
|
Posted: Wed Sep 05, 2012 11:30 pm Post subject: |
|
|
The above what I wrote is not all the best way to go.
E.g., I think:
actually:
Code: | emerge -qavtuDN oinkmaster | is what I invariably do when needed it's best, when not, it doesn't hurt.
But oinkmaster is better than pulledpork.pl, at this time.
Unless they fixed it in the meantime like adodb below.
However, snort now works here.
Never touched the conf of it in 2-3 days, as it took me that time to figure other necessities out for the base/adodb things to work...
But snort works. Upon physically connecting my home router to internet to reedit this post (on the slow Tor I needed to relog two more times while reediting this! the price of learning anonymity, not that I need it, but I hate surveillance! see:
https://forums.gentoo.org/viewtopic-p-7125428.html#7125428
), I entered:
Code: | snort -c /etc/snort/snort.conf -dev -b |
Need still " -c /etc/snort/snort.conf", but the daq settings are being read from the conf file.
And I can't even recall my tentatives and attempts. Quite too many!
Basically, this guide, however old, is mostly the way to go, but of course, not to be followed literally, but adapted to newer versions where applicable:
https://forums.gentoo.org/viewtopic-t-399801.html
But it's GNU Linux, so some things just work in all these years! Without a change! Without a change! Like the program called base!
http://base.secureideas.net/
There's adodb518.zip freshly released yesterday that works with php5.4 of the day.
And they released if just a day too late for me, just after I installed php5.3 because adodb517 wouldn't work on the 5.4...
Oh, well, at least I learned the PHP_TARGETS story and eselect php whatever ways of doing it... Never mind I don't need it at this time...
Don't, I think, dont' emerge adodb.
adodb just needs be unpacked, or maybe little else, and given its directory path to base.
You need to put this into the right (in my case /etc/php/apache2-php5.4/php.ini as I explained above) php.ini file:
Code: | date.timezone = Europe/Zagreb |
Sure, use your own timezone.
Also:
Code: | error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT |
else you get warnings too many.
I really don't remember right now all I went through. I remember I was slamming doors and shouting at invisible torturers behind the disobedient programs and code... and getting very exhausted and depressed at times, and near nerve wrecked... but I'm fine now...
I hope this saves some of your woes, readers!
I can tell you its' great to see clearly who you're being connecting and connected to while you browse the net!
And stowed away in a database!
Just as example. I am conneting forums.gentoo.org through Tor.
And tell me, even if I did learn all the hex things and associates, how long would it take me to figure out the hops of the connection, when there, in some 10 sec that Tor needed to open the page, I got, free estimate for descriptive purposes, some 5 tousand more output than this arbitrarily chosen snippet:
Code: | B8 1D D2 49 57 40 64 B3 BB D2 FE 79 8B 6F D0 DF ...IW@d....y.o..
AE 19 4F 96 40 46 41 F4 F4 48 BB E3 E0 C9 D5 FC ..O.@FA..H......
F2 BE 6B 51 CD 97 82 EC 01 0D 23 53 2E E9 55 2D ..kQ......#S..U-
|
I might be back to say a conclusion (didn't connect anywhere else, hope it got saved fine, and hope to be able to see it and learn more how it works watching it in the browser). |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|