Red Hat Bugzilla – Bug 196046
Dynamic preprocessor libraries missing.
Last modified: 2007-11-30 17:11:35 EST
Description of problem:
Dynamic preprocessor directory and files specified in snort.conf are not present
in the package.
Version-Release number of selected component (if applicable):
Install the snort-2.6.0 package, check for existance of
/usr/local/lib/snort_dynamicpreprocessor and /usr/local/lib/snort_dynamicengine,
they will not be present.
Steps to Reproduce:
1. Install the snort-2.6.0-1.fc5 package via yum.
2. ls -la /usr/local/lib/snort_*
3. Files / directories are missing.
The package is missing the required files for the default snort.conf to function
These directories and files should be created or snort.conf should be modified
to not include their support by default.
I am working on adding support for the dynamic preprocessor support. there
will be an update this week. however the snort.conf as shipped with the
package will not work as there are no rules packaged. Unfortunately this is
one of those packages that can not be shipped in a manner that you can
install and have it just work.
*** Bug 202451 has been marked as a duplicate of this bug. ***
snort-2.6.0-3.fc5 as released still exhibits this problem. I removed all
previous traces of snort and tried a clean install and still cannot start snort.
did you get the rules from http://snort.org/rules/ they are released under the
VRT license http://snort.org/about_snort/licenses/vrt_license.html which is
not open source and while we may be able to meet the terms fro redistribution
alot of end users can not and must buy the commercial license for the rules.
I Do still need to tweak the config file a little but I really cannot make
snort installable in some way where it will just work for you. It will take
some work on your behalf to have things working.
Would it help if i make a spec file for the rules and include it in the
documentation so you can easily roll your own rules rpm?
Sorry, I know you are doing this on your own and without much gratitude or
compensation. So thank you for working on this.
The rules are not my problem. I am using oinkmaster and updating the rules
regularly. My problem is with the dynamic preprocessor not seeming to be
compilied into this distribution. To eliminate a potential problem with
verbage, were you trying to tell me that the dynamic prepocessors are not able
to be distributed with this precompiled snort? If so I must have misread the
In any case, I pulled the snort source and compiled myself and was able to get
snort running with all the bells and whistles including dynamic preprocessors.
I am not supposed to compile anything in this environment though, so a prebuilt
distro is much preferred. Please let me know if there is anything I can do to
help clarify or rectify the problem.
if you do a rpm -ql snort it will shouw you the dynamic preprocessors are
/usr/lib64/snort/libsf_engine.so on my x86_64 box and
/usr/lib/snort/libsf_engine.so on a 32 bit box. i need to do a sed
substitution in the spec to have it ingoing to the right location
ReceivedAt 2006-09-06 16:41:16
DeviceReportedTime 2006-09-06 16:41:16
Message FATAL ERROR: /etc/snort/snort.conf(182) => Unknown rule type:
This is the error I receive when attempting to start snort. You are correct
that the files you indicated were compiled and are included. That does not mean
that the snort binary knows what to do with them. Also of interest is that the
smtp and ftp_telnet dynamic preprocessor modules are not distributed with this
package either and are both enabled by default in the config.
How about including the community rules?
also, snort needs iis unicode.map to start which is not include in the rpm.
Please be assured that my problem is not with the rules files. I use oinkmaster
to pull the appropriate files nightly. The error is simply stating that the
snort binary does not know how to interpret the command "dynamicpreprocessor"
which tells snort to use the indicated modules following this command. (In my
post showing the error, dynamicpreprocessor should be on the same line
as "Unknown rule type:". If you look at your snort.conf file, you will probably
see this command, (but it would have to be commented out using this
distribution.)The dynamic preprocessor is responsible for doing more "advanced"
scanning for specific protocols such as ftp, smtp, http, etc.
One thing I have failed to mention, is that snort will still function without
these. In my opinion, it is not as robust if you are not taking advantage of
these "advanced" features though.
Having reviewed the SPEC file being used for 2.6.0-3, it does not compile with
--enable-dynammicplugin which tells snort its actually using these. Further, it
needs to include the rest of the dynamic plugins. Until these issues can be
ironed out, can you please re-publish 2.4.4-4.fc5/fc4 since it was working well.
The snort 2.6.x branch is not exactly stable right now.
I've been working on getting snort to work here and it seems I found part of the
solution for part of the issue.
The dynamic plugins werent being built, since the option that enables them was
missing. Just adding "--enable-dynamicplugin" to the base snort config options
builds them, but they still dont get packaged. I'm currently trying to figure
Created attachment 137765 [details]
Patch to build and package the dynamic preprocessor files
This patch adds the --enable-dynamicplugin option to SNORT_BASE_CONFIG and also
packages the .so files from the dynamic preprocessor. I'm certain my patch can
be a little tweaked (since I'm not very experienced with RPM packaging), but
it's currently functional (the user still needs to edit the snort.conf file to
replace the dynamicpreprocessor directive to point to
/usr/lib/snort/dynamicpreprocessor ) .
OK i just committed a build of 126.96.36.199 for rawhide i have enabled
dynamicplugins there are three of them currently smtp dns and ftp
the snort.conf file should be pointing at them
I have added some other files in /etc/snort/ that are included in the tarball
I want to make sure this is working. Id like to package up the community
rules in a separate package so that they can be updated independently. If
anyone wants to do it feel free to.
Please provide some feedback if things are still not correct
Just rebuilt the package from cvs on FC5 and it builds and works correctly here.
Closing this as fixed please file new reports if you find any new issues
Is this supposed to be fixed in 188.8.131.52-2? I still don't see the snort-184.108.40.206-2
file on my system.
(In reply to comment #17)
> I still don't see the snort-220.127.116.11-2 file on my system.
Sorry, I meant libsf_engine.so