[Oisf-users] Errors running make on suricata when configuring to use pf_ring 5.6.2

tskinner at comcast.net tskinner at comcast.net
Mon Feb 24 20:26:42 UTC 2014 

I have installed and configured pf_ring enabled e1000e drivers for pf_ring v 5.6.2 and I tested that they were being used correctly with pfcount. 


Now, I am trying to build suricata from git repository and after finally figuring out configuration script to include needed libraries: 


sudo LIBS="-lrt -lnuma" ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --localstatedir=/nsm/suricata/ --sysconfdir=/etc/ 




I am running into the following issues with the pfring.h file during the make process: 



Making all in src 
make[2]: Entering directory `/usr/src/oisfnew/src' 
make all-am 
make[3]: Entering directory `/usr/src/oisfnew/src' 
gcc -DHAVE_CONFIG_H -I. -I.. -I./../libhtp/ -I/opt/PF_RING/include -I/opt/PF_RING/include -I/usr/include/nspr -I/usr/include/nss -I/usr/include/nspr -DLOCAL_STATE_DIR=\"/nsm/suricata\" -g -O2 -Wextra -Werror-implicit-function-declaration -fno-tree-pre -Wall -Wno-unused-parameter -std=gnu99 -march=native -DHAVE_LIBNET11 -D_BSD_SOURCE -D__BSD_SOURCE -D__FAVOR_BSD -DHAVE_NET_ETHERNET_H -DHAVE_PFRING -I /usr/include -DLIBPCAP_VERSION_MAJOR=1 -DHAVE_PCAP_SET_BUFF -DHAVE_LIBCAP_NG -DREVISION="a97662e" -MT runmode-erf-dag.o -MD -MP -MF .deps/runmode-erf-dag.Tpo -c -o runmode-erf-dag.o runmode-erf-dag.c 
In file included from source-pfring.h:31, 
from runmode-erf-dag.c:25: 
/opt/PF_RING/include/pfring.h:90:1: warning: "likely" redefined 
In file included from flow.h:31, 
from detect.h:29, 
from detect-engine-alert.h:29, 
from suricata-common.h:321, 
from runmode-erf-dag.c:18: 
util-optimize.h:32:1: warning: this is the location of the previous definition 
In file included from source-pfring.h:31, 
from runmode-erf-dag.c:25: 
/opt/PF_RING/include/pfring.h:91:1: warning: "unlikely" redefined 
In file included from flow.h:31, 
from detect.h:29, 
from detect-engine-alert.h:29, 
from suricata-common.h:321, 
from runmode-erf-dag.c:18: 
util-optimize.h:35:1: warning: this is the location of the previous definition 
In file included from source-pfring.h:31, 
from runmode-erf-dag.c:25: 
/opt/PF_RING/include/pfring.h:111: warning: âstruct pfring_pkthdrâ declared inside parameter list 
/opt/PF_RING/include/pfring.h:111: warning: its scope is only this definition or declaration, which is probably not what you want 
/opt/PF_RING/include/pfring.h:156: error: expected specifier-qualifier-list before âpacket_directionâ 
In file included from source-pfring.h:31, 
from runmode-erf-dag.c:25: 
/opt/PF_RING/include/pfring.h:366: error: âMAX_NUM_RX_CHANNELSâ undeclared here (not in a function) 
/opt/PF_RING/include/pfring.h:426: warning: âstruct pfring_pkthdrâ declared inside parameter list 
/opt/PF_RING/include/pfring.h:442: warning: âstruct pfring_pkthdrâ declared inside parameter list 
/opt/PF_RING/include/pfring.h:485: error: expected declaration specifiers or â...â before âhw_filtering_ruleâ 
/opt/PF_RING/include/pfring.h:585: warning: âstruct pfring_pkthdrâ declared inside parameter list 
/opt/PF_RING/include/pfring.h:629: error: expected declaration specifiers or â...â before âpacket_directionâ 
/opt/PF_RING/include/pfring.h:637: error: expected declaration specifiers or â...â before âsocket_modeâ 
/opt/PF_RING/include/pfring.h:650: error: expected declaration specifiers or â...â before âcluster_typeâ 
/opt/PF_RING/include/pfring.h:719: error: expected declaration specifiers or â...â before âhash_filtering_ruleâ 
/opt/PF_RING/include/pfring.h:746: error: expected declaration specifiers or â...â before âfiltering_ruleâ 
/opt/PF_RING/include/pfring.h:783: error: expected declaration specifiers or â...â before âhash_filtering_ruleâ 
/opt/PF_RING/include/pfring.h:902: error: expected declaration specifiers or â...â before âvirtual_filtering_device_infoâ 
/opt/PF_RING/include/pfring.h:1085: warning: âstruct pfring_pkthdrâ declared inside parameter list 
/opt/PF_RING/include/pfring.h:1158: warning: âstruct pfring_pkthdrâ declared inside parameter list 
/opt/PF_RING/include/pfring.h:1186: warning: âstruct pfring_pkthdrâ declared inside parameter list 
/opt/PF_RING/include/pfring.h:1230: warning: âstruct pfring_pkthdrâ declared inside parameter list 
In file included from runmode-erf-dag.c:25: 
source-pfring.h:39: error: expected specifier-qualifier-list before âcluster_typeâ 
make[3]: *** [runmode-erf-dag.o] Error 1 
make[3]: Leaving directory `/usr/src/oisfnew/src' 
make[2]: *** [all] Error 2 
make[2]: Leaving directory `/usr/src/oisfnew/src' 
make[1]: *** [all-recursive] Error 1 
make[1]: Leaving directory `/usr/src/oisfnew' 
make: *** [all] Error 2 






Are there others that have run into this lately? Could someone offer some guidance to help me through this? 




Thanks, 


Ted 
----- Original Message -----
From: "Peter Manev" <petermanev at gmail.com> 
To: "Joakim Kunst Forsbakk" <forsbakk at mnemonic.no> 
Cc: oisf-users at lists.openinfosecfoundation.org 
Sent: Monday, February 24, 2014 6:26:36 AM 
Subject: Re: [Oisf-users] File extraction problems (false positives) 

On Mon, Feb 24, 2014 at 12:17 PM, Joakim Kunst Forsbakk 
<forsbakk at mnemonic.no> wrote: 
> Hi, 
> 
> I tried disabling all filestore rules, and tested the rule you suggested over one hour. 
> The fast log shows that the rule triggered 256 times in one hour. 
> Suricata however stored 1021 files. 248 of these are actual PDF files, but all the other files are ASCII text files, PNG image data, GIF image data, UTF-8 unicode text and XML-files. 
> 
> Any idea why Suricata does this? 
> 

How many rules in total do you load (what does suricata.log say)?(did 
you clear the log directories) 
If you tcpdump one pdf file transaction and then just read it with 
Suricata (-r) would that have the expected result? 
What would be the output of the detailed log? 

As a last resort you could try Suricata 2.0rc1 (stable 2.0 will be out 
soon), there are a lot of fixes in beta, however 1.4.7 should not have 
issues. 

thank you 

-- 
Regards, 
Peter Manev 
_______________________________________________ 
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org 
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ 
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users 
OISF: http://www.openinfosecfoundation.org/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140224/7b2fd926/attachment-0002.html>

More information about the Oisf-users mailing list