Bug 196046 - Dynamic preprocessor libraries missing.
Dynamic preprocessor libraries missing.
Product: Fedora
Classification: Fedora
Component: snort (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Dennis Gilmore
Fedora Extras Quality Assurance
: 202451 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2006-06-20 12:39 EDT by Chuck H
Modified: 2007-11-30 17:11 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-10 16:12:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to build and package the dynamic preprocessor files (2.43 KB, patch)
2006-10-04 15:44 EDT, Pedro Fernandes Macedo
no flags Details | Diff

  None (edit)
Description Chuck H 2006-06-20 12:39:46 EDT
Description of problem:
Dynamic preprocessor directory and files specified in snort.conf are not present
in the package.

Version-Release number of selected component (if applicable):

How reproducible:
Install the snort-2.6.0 package, check for existance of
/usr/local/lib/snort_dynamicpreprocessor and /usr/local/lib/snort_dynamicengine,
they will not be present.

Steps to Reproduce:
1. Install the snort-2.6.0-1.fc5 package via yum.
2. ls -la /usr/local/lib/snort_*
3. Files / directories are missing.
Actual results:
The package is missing the required files for the default snort.conf to function

Expected results:
These directories and files should be created or snort.conf should be modified
to not include their support by default.

Additional info:
Comment 1 Dennis Gilmore 2006-06-20 13:00:13 EDT
I am working on adding support for the dynamic preprocessor support. there 
will be an update this week.  however  the snort.conf  as shipped with the 
package will not work  as there are no rules packaged. Unfortunately this is 
one of those packages   that can not be shipped in a manner that you can 
install and have it just work.
Comment 2 Dave Jones 2006-09-02 21:03:24 EDT
*** Bug 202451 has been marked as a duplicate of this bug. ***
Comment 3 Marcus 2006-09-06 16:39:35 EDT
snort-2.6.0-3.fc5 as released still exhibits this problem. I removed all 
previous traces of snort and tried a clean install and still cannot start snort.
Comment 4 Dennis Gilmore 2006-09-06 16:56:32 EDT
did you get the rules from http://snort.org/rules/ they are released under the 
VRT license http://snort.org/about_snort/licenses/vrt_license.html which is 
not open source and while  we may be able to meet the terms fro redistribution  
alot of end users can not  and must buy the commercial license for the rules.

I Do still need to tweak the config file a little but I really cannot make 
snort installable in some way where it will just work for you.  It will take 
some work on your behalf to have things working.

Would it help if i make a spec file for the rules and include it in the 
documentation  so you can easily roll your own rules rpm?
Comment 5 Marcus 2006-09-07 10:14:27 EDT
Sorry, I know you are doing this on your own and without much gratitude or 
compensation. So thank you for working on this.

The rules are not my problem. I am using oinkmaster and updating the rules 
regularly. My problem is with the dynamic preprocessor not seeming to be 
compilied into this distribution. To eliminate a potential problem with 
verbage, were you trying to tell me that the dynamic prepocessors are not able 
to be distributed with this precompiled snort? If so I must have misread the 
license agreement. 

In any case, I pulled the snort source and compiled myself and was able to get 
snort running with all the bells and whistles including dynamic preprocessors. 
I am not supposed to compile anything in this environment though, so a prebuilt 
distro is much preferred. Please let me know if there is anything I can do to 
help clarify or rectify the problem.
Comment 6 Dennis Gilmore 2006-09-07 10:30:23 EDT
if you do a rpm -ql snort  it will shouw  you the dynamic preprocessors are 
indeed included  
/usr/lib64/snort/libsf_engine.so  on my x86_64 box  and 
/usr/lib/snort/libsf_engine.so on a 32 bit box.  i need to do a sed 
substitution in the spec  to have it ingoing to the right location
Comment 7 Marcus 2006-09-07 10:53:42 EDT
FromHost ******* 
ReceivedAt 2006-09-06 16:41:16 
DeviceReportedTime 2006-09-06 16:41:16 
Message FATAL ERROR: /etc/snort/snort.conf(182) => Unknown rule type: 
Facility 3 
Severity ERROR 
SysLogTag snort[9324]: 

This is the error I receive when attempting to start snort. You are correct 
that the files you indicated were compiled and are included. That does not mean 
that the snort binary knows what to do with them. Also of interest is that the 
smtp and ftp_telnet dynamic preprocessor modules are not distributed with this 
package either and are both enabled by default in the config. 
Comment 8 Matthew Hannigan 2006-09-13 00:44:06 EDT
How about including the community rules?
Comment 9 Matthew Hannigan 2006-09-13 00:45:57 EDT
also, snort needs iis unicode.map to start which is not include in the rpm.
Comment 10 Marcus 2006-09-14 09:06:43 EDT
Please be assured that my problem is not with the rules files. I use oinkmaster 
to pull the appropriate files nightly. The error is simply stating that the 
snort binary does not know how to interpret the command "dynamicpreprocessor" 
which tells snort to use the indicated modules following this command. (In my 
post showing the error, dynamicpreprocessor should be on the same line 
as "Unknown rule type:". If you look at your snort.conf file, you will probably 
see this command, (but it would have to be commented out using this 
distribution.)The dynamic preprocessor is responsible for doing more "advanced" 
scanning for specific protocols such as ftp, smtp, http, etc. 

One thing I have failed to mention, is that snort will still function without 
these. In my opinion, it is not as robust if you are not taking advantage of 
these "advanced" features though.
Comment 11 Chuck H 2006-10-03 13:38:18 EDT
Having reviewed the SPEC file being used for 2.6.0-3, it does not compile with
--enable-dynammicplugin which tells snort its actually using these.  Further, it
needs to include the rest of the dynamic plugins.  Until these issues can be
ironed out, can you please re-publish 2.4.4-4.fc5/fc4 since it was working well.
 The snort 2.6.x branch is not exactly stable right now.

Comment 12 Pedro Fernandes Macedo 2006-10-04 10:43:20 EDT
I've been working on getting snort to work here and it seems I found part of the
solution for part of the issue. 

The dynamic plugins werent being built, since the option that enables them was
missing. Just adding  "--enable-dynamicplugin" to the base snort config options
builds them, but they still dont get packaged. I'm currently trying to figure
this out.
Comment 13 Pedro Fernandes Macedo 2006-10-04 15:44:44 EDT
Created attachment 137765 [details]
Patch to build and package the dynamic preprocessor files

This patch adds the --enable-dynamicplugin option to SNORT_BASE_CONFIG and also
packages the .so files from the dynamic preprocessor. I'm certain my patch can
be a little tweaked (since I'm not very experienced with RPM packaging), but
it's currently functional (the user still needs to edit the snort.conf file to
replace the dynamicpreprocessor directive to point to
/usr/lib/snort/dynamicpreprocessor ) .
Comment 14 Dennis Gilmore 2006-10-09 13:44:43 EDT
OK  i just committed a build of for rawhide i have enabled  
dynamicplugins  there are three of them currently smtp dns and ftp 

the snort.conf file  should be pointing at them

I have added some other files in /etc/snort/  that are included in the tarball

I want to make sure this is working.  Id like to package up the community 
rules in a separate package  so that they can be updated independently. If  
anyone wants to do it feel free to.

Please provide some feedback  if things  are still not correct
Comment 15 Pedro Fernandes Macedo 2006-10-10 10:35:49 EDT
Just rebuilt the package from cvs on FC5 and it builds and works correctly here.
Comment 16 Dennis Gilmore 2006-10-10 16:12:32 EDT
Closing this as fixed  please file new reports if you find any new issues
Comment 17 John Holmstadt 2006-10-31 11:40:56 EST
Is this supposed to be fixed in I still don't see the snort-
file on my system.
Comment 18 John Holmstadt 2006-10-31 11:42:26 EST
(In reply to comment #17)
> I still don't see the snort- file on my system.

Sorry, I meant libsf_engine.so

Note You need to log in before you can comment on or make changes to this bug.