[Oisf-users] Issues with Application Layer Filtering

Jason Batchelor jxbatchelor at gmail.com
Sat Jun 7 00:12:17 UTC 2014 

I think you might be on to something with libhtp...

I recall when I initially installed and started Suricata, I received an
error message saying libhtp could not be found. So I did a simple:

yum install libhtp

At that point things were fine and Suri started up. However, I thought it
was strange because libhtp came with Suri and I presumed it was installed
from source (so why the linking issue?).

Before I removed the RPM I did an ldd to check if it linked to the RPM or
the source binary. The results seemed to indicate that it was correctly
linked to the source binary.

ldd /usr/bin/suricata | grep libhtp
        libhtp-0.5.11.so.1 => /usr/lib/libhtp-0.5.11.so.1
(0x00007f454b614000)

What I can't really explain is why installing the libhtp RPM fixed things,
even though the source link is preserved (the location is
/usr/lib64/libhtp-0.3.so.1).

Stranger, I cannot replicate the behavior when I remove the libhtp RPM. The
source link is preserved and after a re-configure and rebuild with the Suri
tar ball for 2.0.1, it starts up with no libhtp issue. Could the RPM having
been installed at one point have corrupted things?

Concerning the git, unfortunately I believe our FW is blocking the git
port. If you still think it is worth a shot (as opposed to the tar ball) I
can figure something out.

Thanks for your help so far.


On Fri, Jun 6, 2014 at 6:23 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This sounds almost like it might be an issue with libhtp.
>
> As a sanity check would you be interested in trying my build script for
> the current dev release?
>
> > #!/bin/sh
> >
> > export CFLAGS="-O3 -pipe -march=native"
> >
> > git clone git://phalanx.openinfosecfoundation.org/oisf.git
> >
> > cd oisf
> >
> > git clone git://github.com/ironbee/libhtp.git
> >
> > ./autogen.sh
> >
> > ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> >
> > make install && ldconfig
>
> Feel free to change the configure options as needed.
>
> On 6/6/2014 4:13 PM, Jason Batchelor wrote:
> >
> >
> > Spun up Suri and retested, unfortunately I'm still having the same
> > problem :/
> >
> > Baffled by this one so far?
> >
>
> >
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTkk2GAAoJEKIFRYQsa8FWk/AH/iqn+mQXcqk2w71jWhjG2voo
> AxHEjF72jzuKLt6KGClhNQKVbf1XT03yeBwfawikt+04+Ibfp3cO/bTcPjmih5lm
> Gh9i3F64lFIbvlFzjhvsxZW3eYAwTZPsQ7/kt6CUYjFLv65VzgVCmKVFxwCAW2Nz
> kJUHCYcsQnaRRPDj92ddI0cUA60Qj4wV0h1nMT8u2tHAm/dCSeGnGo9TagXwTG4Z
> ON+s1u9+4exUADnstEG4SqrQq9Zxp5yPaDede694vNaeNv6y6ZYC3Zgax/Zm3GOj
> urXmaW1A8BMsi5JW4HTQVFgqOOm3FJYTYF8Sv85a2B3PFwe5eETPw1budWxNXt4=
> =tdL6
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140606/cae00c46/attachment-0002.html>

More information about the Oisf-users mailing list