[Oisf-devel] Suricata compile fail with current git and PF_RING svn

Eric Leblond eric at regit.org
Sun Feb 23 15:40:10 UTC 2014 

Hello

I seriously don't know if we need to support PF_RING from svn. We have seen by the past problems appearing and disappearing for people using svn version. In this case, this is a bug in pf_ring who should link with the numa libs and require the devel harder to be installed at compile time. So please ask for a fix to of pf_ring team.

IMHO we should fix the supported versions of pf_ring to avoid any comparable issue in the future.

BR,

Le 23 févr. 2014 14:53, Peter Manev <petermanev at gmail.com> a écrit :
>
> On Sun, Feb 23, 2014 at 3:26 AM, Johan Karlsson 
> <johan.karlsson at deltamanagement.se> wrote: 
> >>On Thu, Feb 6, 2014 at 6:00 PM, Mark Stingley <mark.stingley at gmail.com> wrote: 
> >>> Over the past two days, I've pulled the latest builds for both pf_ring and 
> >>> Suricata.  After successfully compiling pf_ring, compilation of Suricata 
> >>> failed. 
> >>> 
> >>> Variations of this command were tried: 
> >>> 
> >>> ./autogen.sh && LIBS=-lrt ./configure --enable-pfring --enable-geoip 
> >>> --with-libpfring-includes=/usr/local/pfring/include/ 
> >>> --with-libpfring-libraries=/usr/local/pfring/lib/ 
> >>> --with-libpcap-includes=/usr/local/pfring/include/ 
> >>> --with-libpcap-libraries=/usr/local/pfring/lib/ 
> >>> --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ 
> >>> --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr 
> >>> && sudo make clean && sudo make && sudo make install && sudo ldconfig 
> >>> 
> >>> I kept getting this error: 
> >>> 
> >>> checking for pfring_open in -lpfring... no 
> >>> checking for pfring_stats in -lpfring... no 
> >>> 
> >>>    ERROR! --enable-pfring was passed but the library was not found or 
> >>> version is >4, go get it 
> >> 
> >> 
> >>Which pfring version is it that you are using? 
> >>Did your pfring installation go without a problem? 
> >>Do you see the correct pfring libraries under "/usr/local/pfring/lib/" 
> >>and includes under "/usr/local/pfring/include/"? 
> >>Can you try without " LIBS=-lrt" ? 
> >> 
> >> 
> >>> configure:16088: checking for pfring_stats in -lpfring 
> >>> configure:16113: gcc -o conftest -g -O2 -Wextra 
> >>> -Werror-implicit-function-declaration -fno-tree-pre -Wall 
> >>> -Wno-unused-parameter -std=gnu99 -march=native -DHAVE_LIBNET11 -D_BSD_SOURCE 
> >>> -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DHAVE_PFRING 
> >>> -I/opt/PF_RING/include   -L/opt/PF_RING/lib conftest.c -lpfring -lpcap -lrt 
> >>> -lnet -lpthread -lyaml -lpcre  >&5 
> >>> /usr/local/lib/libpfring.so: undefined reference to `numa_node_of_cpu' 
> >>> /usr/local/lib/libpfring.so: undefined reference to `numa_bind' 
> >>> /usr/local/lib/libpfring.so: undefined reference to `numa_parse_nodestring' 
> >>> /usr/local/lib/libpfring.so: undefined reference to `numa_available' 
> >>> 
> >>>  pass --enable-non-bundled-htp to Suricata's configure script. 
> >>>   Add --with-libhtp-includes=<dir> and --with-libhtp-libraries=<dir> if 
> >>>   libhtp is not installed in the include and library paths. 
> >>> 
> >>> After downloading the stable releases of both pf_ring and Suricata, both 
> >>> compiled and installed successfully. 
> >>> 
> >>> Any ideas? 
> >>> 
> >>> Thanks. 
> >>> 
> >>> Mark 
> >>> 
> >> 
> >>-- 
> >>Regards, 
> >>Peter Manev 
> > 
> > Hi! 
> > 
> > I just joined the mailing list today, to share my findings as I just ran into this issue myself. 
> > 
> > Basically, it all boils down to the "recent" changes in Debian/Ubuntu regarding DSO linking. Read about it and the bugs and issues that followed here: 
> > 
> > https://wiki.debian.org/ToolChain/DSOLinking 
> > 
> > I've checked several Suricata+PF_RING guides, and it's apparent that the passing of LIBS="-lrt" before running ./configure was introduced due to undefined references for 'clock_gettime' due to the linking changes. The link above gives hints about specifying lib flags via "LIBS" before running configure can be a solution in many cases. 
> > 
> > What's happened in PF_RING of late seems to be that code that requires numa functions was introduced. In fact, on Debian, you now have to install libnuma-dev prior to building PF_RING from SVN. 
> > 
> > Seems to have to do with PF_RING DNA cluster: 
> > 
> > nm -u libpfring.a 
> > 
> > pfring_dna_cluster.o: 
> >          ... 
> >          U numa_available 
> >          U numa_bind 
> >          U numa_node_of_cpu 
> >          U numa_parse_nodestring 
> >          ... 
> > 
> > So the solution in whole is (Debian example): 
> > 
> > --- 
> > apt-get install libnuma-dev 
> > 
> > <check out and install PF_RING like before> 
> > 
> > <check out Suricata> 
> > 
> > And then when configuring do: 
> > 
> > ./autogen.sh && LIBS="-lrt -lnuma" ./configure --enable-pfring 
> > --- 
>
> Yes, I just did a fresh  VM install to experiment and can confirm that 
> this is the case. 
> I will try see if any other OSs have the same issues. 
>
> Should we do that (just update the wiki) or should we explore the 
> opportunity to include that check in the configure scripts during 
> build time? 
> (as was the case with  LIBS="-lrt" , bug/feature report) 
>
>
> > 
> > Oh, and if any people responsible for guides (both on OISF and on the PF_RING website) are reading this; in addition to the above, I found out that libmagic-dev was needed in order to compile Suricata too. IIRC that dependency isn't listed in any of the guides (Debian/Ubuntu) 
> > 
>
> I believe libmagic-dev is correctly instructed to be included in the 
> wiki guides. 
>
> Thank you 
>
>
> > Regards, 
> > 
> > Johan Karlsson 
> > _______________________________________________ 
> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org 
> > Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/ 
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel 
> > Redmine: https://redmine.openinfosecfoundation.org/ 
>
>
>
> -- 
> Regards, 
> Peter Manev 
> _______________________________________________ 
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org 
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/ 
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel 
> Redmine: https://redmine.openinfosecfoundation.org/

More information about the Oisf-devel mailing list