<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Arial; font-size: 12pt; color: #000000'><font face="Arial"><span style="font-size: 12pt;">I have installed and configured pf_ring enabled e1000e drivers for pf_ring v 5.6.2 and I tested that they were being used correctly with pfcount.</span></font><div style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;">Now, I am trying to build suricata from git repository and after finally figuring out configuration script to include needed libraries:</div><div style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;"><br></div><div><font face="Arial"><span style="font-size: 16px;">sudo LIBS="-lrt -lnuma" ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --localstatedir=/nsm/suricata/ --sysconfdir=/etc/</span></font></div><div><font face="Arial"><span style="font-size: 16px;"><br></span></font></div><div><font face="Arial"><span style="font-size: 16px;"><br></span></font></div><div><font face="Arial"><span style="font-size: 16px;">I am running into the following issues with the pfring.h file during the make process:</span></font></div><div><font face="Arial"><span style="font-size: 16px;"><br></span></font></div><div><font face="Arial"><span style="font-size: 16px;"><div>Making all in src</div><div>make[2]: Entering directory `/usr/src/oisfnew/src'</div><div>make all-am</div><div>make[3]: Entering directory `/usr/src/oisfnew/src'</div><div>gcc -DHAVE_CONFIG_H -I. -I.. -I./../libhtp/ -I/opt/PF_RING/include -I/opt/PF_RING/include -I/usr/include/nspr -I/usr/include/nss -I/usr/include/nspr -DLOCAL_STATE_DIR=\"/nsm/suricata\" -g -O2 -Wextra -Werror-implicit-function-declaration -fno-tree-pre -Wall -Wno-unused-parameter -std=gnu99 -march=native -DHAVE_LIBNET11 -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DHAVE_PFRING -I /usr/include -DLIBPCAP_VERSION_MAJOR=1 -DHAVE_PCAP_SET_BUFF -DHAVE_LIBCAP_NG -DREVISION="a97662e" -MT runmode-erf-dag.o -MD -MP -MF .deps/runmode-erf-dag.Tpo -c -o runmode-erf-dag.o runmode-erf-dag.c</div><div>In file included from source-pfring.h:31,</div><div> from runmode-erf-dag.c:25:</div><div>/opt/PF_RING/include/pfring.h:90:1: warning: "likely" redefined</div><div>In file included from flow.h:31,</div><div> from detect.h:29,</div><div> from detect-engine-alert.h:29,</div><div> from suricata-common.h:321,</div><div> from runmode-erf-dag.c:18:</div><div>util-optimize.h:32:1: warning: this is the location of the previous definition</div><div>In file included from source-pfring.h:31,</div><div> from runmode-erf-dag.c:25:</div><div>/opt/PF_RING/include/pfring.h:91:1: warning: "unlikely" redefined</div><div>In file included from flow.h:31,</div><div> from detect.h:29,</div><div> from detect-engine-alert.h:29,</div><div> from suricata-common.h:321,</div><div> from runmode-erf-dag.c:18:</div><div>util-optimize.h:35:1: warning: this is the location of the previous definition</div><div>In file included from source-pfring.h:31,</div><div> from runmode-erf-dag.c:25:</div><div>/opt/PF_RING/include/pfring.h:111: warning: âstruct pfring_pkthdrâ declared inside parameter list</div><div>/opt/PF_RING/include/pfring.h:111: warning: its scope is only this definition or declaration, which is probably not what you want</div><div>/opt/PF_RING/include/pfring.h:156: error: expected specifier-qualifier-list before âpacket_directionâ</div><div>In file included from source-pfring.h:31,</div><div> from runmode-erf-dag.c:25:</div><div>/opt/PF_RING/include/pfring.h:366: error: âMAX_NUM_RX_CHANNELSâ undeclared here (not in a function)</div><div>/opt/PF_RING/include/pfring.h:426: warning: âstruct pfring_pkthdrâ declared inside parameter list</div><div>/opt/PF_RING/include/pfring.h:442: warning: âstruct pfring_pkthdrâ declared inside parameter list</div><div>/opt/PF_RING/include/pfring.h:485: error: expected declaration specifiers or â...â before âhw_filtering_ruleâ</div><div>/opt/PF_RING/include/pfring.h:585: warning: âstruct pfring_pkthdrâ declared inside parameter list</div><div>/opt/PF_RING/include/pfring.h:629: error: expected declaration specifiers or â...â before âpacket_directionâ</div><div>/opt/PF_RING/include/pfring.h:637: error: expected declaration specifiers or â...â before âsocket_modeâ</div><div>/opt/PF_RING/include/pfring.h:650: error: expected declaration specifiers or â...â before âcluster_typeâ</div><div>/opt/PF_RING/include/pfring.h:719: error: expected declaration specifiers or â...â before âhash_filtering_ruleâ</div><div>/opt/PF_RING/include/pfring.h:746: error: expected declaration specifiers or â...â before âfiltering_ruleâ</div><div>/opt/PF_RING/include/pfring.h:783: error: expected declaration specifiers or â...â before âhash_filtering_ruleâ</div><div>/opt/PF_RING/include/pfring.h:902: error: expected declaration specifiers or â...â before âvirtual_filtering_device_infoâ</div><div>/opt/PF_RING/include/pfring.h:1085: warning: âstruct pfring_pkthdrâ declared inside parameter list</div><div>/opt/PF_RING/include/pfring.h:1158: warning: âstruct pfring_pkthdrâ declared inside parameter list</div><div>/opt/PF_RING/include/pfring.h:1186: warning: âstruct pfring_pkthdrâ declared inside parameter list</div><div>/opt/PF_RING/include/pfring.h:1230: warning: âstruct pfring_pkthdrâ declared inside parameter list</div><div>In file included from runmode-erf-dag.c:25:</div><div>source-pfring.h:39: error: expected specifier-qualifier-list before âcluster_typeâ</div><div>make[3]: *** [runmode-erf-dag.o] Error 1</div><div>make[3]: Leaving directory `/usr/src/oisfnew/src'</div><div>make[2]: *** [all] Error 2</div><div>make[2]: Leaving directory `/usr/src/oisfnew/src'</div><div>make[1]: *** [all-recursive] Error 1</div><div>make[1]: Leaving directory `/usr/src/oisfnew'</div><div>make: *** [all] Error 2</div><div><br></div><div><br></div><div><br></div><div>Are there others that have run into this lately? Could someone offer some guidance to help me through this?</div><div><br></div><div><br></div><div>Thanks,</div><div><br></div><div>Ted</div></span></font><br><hr id="zwchr" style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;"><b style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;">From: </b><font face="Arial"><span style="font-size: 12pt;">"Peter Manev" <petermanev@gmail.com></span></font><br><b style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;">To: </b><font face="Arial"><span style="font-size: 12pt;">"Joakim Kunst Forsbakk" <forsbakk@mnemonic.no></span></font><br><b style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;">Cc: </b><font face="Arial"><span style="font-size: 12pt;">oisf-users@lists.openinfosecfoundation.org</span></font><br><b style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;">Sent: </b><font face="Arial"><span style="font-size: 12pt;">Monday, February 24, 2014 6:26:36 AM</span></font><br><b style="color: rgb(0, 0, 0); font-family: Arial; font-size: 12pt;">Subject: </b><font face="Arial"><span style="font-size: 12pt;">Re: [Oisf-users] File extraction problems (false positives)</span></font><br><br><font face="Arial"><span style="font-size: 12pt;">On Mon, Feb 24, 2014 at 12:17 PM, Joakim Kunst Forsbakk</span></font><br><font face="Arial"><span style="font-size: 12pt;"><forsbakk@mnemonic.no> wrote:</span></font><br><font face="Arial"><span style="font-size: 12pt;">> Hi,</span></font><br><font face="Arial"><span style="font-size: 12pt;">></span></font><br><font face="Arial"><span style="font-size: 12pt;">> I tried disabling all filestore rules, and tested the rule you suggested over one hour.</span></font><br><font face="Arial"><span style="font-size: 12pt;">> The fast log shows that the rule triggered 256 times in one hour.</span></font><br><font face="Arial"><span style="font-size: 12pt;">> Suricata however stored 1021 files. 248 of these are actual PDF files, but all the other files are ASCII text files, PNG image data, GIF image data, UTF-8 unicode text and XML-files.</span></font><br><font face="Arial"><span style="font-size: 12pt;">></span></font><br><font face="Arial"><span style="font-size: 12pt;">> Any idea why Suricata does this?</span></font><br><font face="Arial"><span style="font-size: 12pt;">></span></font><br><br><font face="Arial"><span style="font-size: 12pt;">How many rules in total do you load (what does suricata.log say)?(did</span></font><br><font face="Arial"><span style="font-size: 12pt;">you clear the log directories)</span></font><br><font face="Arial"><span style="font-size: 12pt;">If you tcpdump one pdf file transaction and then just read it with</span></font><br><font face="Arial"><span style="font-size: 12pt;">Suricata (-r) would that have the expected result?</span></font><br><font face="Arial"><span style="font-size: 12pt;">What would be the output of the detailed log?</span></font><br><br><font face="Arial"><span style="font-size: 12pt;">As a last resort you could try Suricata 2.0rc1 (stable 2.0 will be out</span></font><br><font face="Arial"><span style="font-size: 12pt;">soon), there are a lot of fixes in beta, however 1.4.7 should not have</span></font><br><font face="Arial"><span style="font-size: 12pt;">issues.</span></font><br><br><font face="Arial"><span style="font-size: 12pt;">thank you</span></font><br><br><font face="Arial"><span style="font-size: 12pt;">-- </span></font><br><font face="Arial"><span style="font-size: 12pt;">Regards,</span></font><br><font face="Arial"><span style="font-size: 12pt;">Peter Manev</span></font><br><font face="Arial"><span style="font-size: 12pt;">_______________________________________________</span></font><br><font face="Arial"><span style="font-size: 12pt;">Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org</span></font><br><font face="Arial"><span style="font-size: 12pt;">Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/</span></font><br><font face="Arial"><span style="font-size: 12pt;">List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</span></font><br><font face="Arial"><span style="font-size: 12pt;">OISF: http://www.openinfosecfoundation.org/</span></font><br></div></div></body></html>