[Oisf-users] Building Suricata 2.0.6 with PF_Ring 6.0.2 on Ubuntu

Michał Purzyński michalpurzynski1 at gmail.com
Sun Feb 22 21:53:29 UTC 2015


Do you have pcap and pcap-dev system packages installed?

You can remove all the ld_preload tricks for Suricata, it does not
need the pf_ring patched libpcap.


Remove

echo "/usr/local/pfring/lib" >> /etc/ld.so.conf
echo "PATH=$PATH:/usr/local/pfring/bin:/usr/local/pfring/sbin" >>
/etc/bash.bashrc


Also, when in the "kernel" directory of pf_ring, make sure you do

./configure --prefix=<something> && make && make install

otherwise

./linux/pf_ring.h

will not be installed for the current kernel headers and you might
have problems building other than Suricata pcap-pfring applications.



On Sun, Feb 22, 2015 at 8:04 PM, Andy Schworer <schworer at gmail.com> wrote:
> Thanks for the quick responses.  Removing --with-libpcap-includes and
> --with-libpcap-libraries didn't change the results.
>
> below is my PF ring install script.
>
> #http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.0.2.tar.gz/download
> tar -xvf PF_RING-6.0.2.tar.gz
> cd PF_RING-6.0.2/
> cd kernel; make;
> sudo su
> make install; modprobe pf_ring;
> cd ../userland/lib
> ./configure --prefix=/usr/local/pfring && make && sudo make install
> cd ../libpcap-1.1.1-ring
> ./configure --prefix=/usr/local/pfring && make && sudo make install
> echo "/usr/local/pfring/lib" >> /etc/ld.so.conf
> cd ../tcpdump-4.1.1
> ./configure --prefix=/usr/local/pfring && make && sudo make install
> # Add PF_RING to the ldconfig include list
> echo "PATH=$PATH:/usr/local/pfring/bin:/usr/local/pfring/sbin" >>
> /etc/bash.bashrc
> cat /proc/net/pf_ring/info
>
>
>
>
> On Sun, Feb 22, 2015 at 4:16 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Sun, Feb 22, 2015 at 12:58 PM, Michał Purzyński
>> <michalpurzynski1 at gmail.com> wrote:
>> > Both the --with-libpcap-includes and --with-libpcap-libraries are not
>> > necessary at all. Suricata will use pfring_open() directly, without
>> > going through libpcap.
>> >
>>
>> Correct - I have updated the docs for PF_RING on the wiki  -
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation
>>
>> Andy please make sure you have installed the pf_ring correctly though.
>>
>> thanks
>>
>> > On Sun, Feb 22, 2015 at 10:39 AM, Peter Manev <petermanev at gmail.com>
>> > wrote:
>> >> On Sun, Feb 22, 2015 at 6:02 AM, Andy Schworer <schworer at gmail.com>
>> >> wrote:
>> >>> I'm having trouble getting the ./configure script to complete for
>> >>> Suricata
>> >>> 2.0.6 with the following options.  With pf_ring 6.0.2 "vanilla" built
>> >>> and
>> >>> installed.
>> >>>
>> >>> uname -a Linux hosta 3.13.0-45-generic #74~precise1-Ubuntu SMP Thu Jan
>> >>> 15
>> >>> 20:21:55 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
>> >>>
>> >>> ./configure --prefix=/usr/local --sysconfdir=/usr/local/etc/suricata/
>> >>> --localstatedir=/usr/local/var/
>> >>> --with-libpfring-libraries=/usr/local/pfring/lib
>> >>> --with-libpfring-includes=/usr/local/pfring/include
>> >>> --with-libpcap-includes=/usr/local/pfring/include
>> >>> --with-libpcap-libraries=/usr/local/pfring/lib --enable-pfring
>> >>> --enable-geoip --disable-profiling
>> >>>
>> >>> I get the following error:
>> >>> ...
>> >>>
>> >>> checking pcap/pcap.h presence... yes
>> >>>
>> >>> checking for pcap/pcap.h... yes
>> >>>
>> >>> checking pcap/bpf.h usability... yes
>> >>>
>> >>> checking pcap/bpf.h presence... yes
>> >>>
>> >>> checking for pcap/bpf.h... yes
>> >>>
>> >>> checking for pcap_open_live in -lpcap... no
>> >>>
>> >>>
>> >>>    ERROR!  libpcap library not found, go get it
>> >>>
>> >>>    from http://www.tcpdump.org or your distribution:
>> >>>
>> >>>
>> >>>    Ubuntu: apt-get install libpcap-dev
>> >>>
>> >>>    Fedora: yum install libpcap-devel
>> >>>
>> >>>
>> >>>
>> >>> The following shows that libpcap library and pcap.h are installed in
>> >>> the
>> >>> right paths being supplied to the configure script.I
>> >>>
>> >>> ls -l /usr/local/pfring/include/
>> >>>
>> >>> total 116
>> >>>
>> >>> drwxr-xr-x 2 root root  4096 Feb 21 19:51 pcap
>> >>>
>> >>> -rw-r--r-- 1 root root  2393 Feb 21 19:51 pcap-bpf.h
>> >>>
>> >>> -rw-r--r-- 1 root root  2320 Feb 21 19:51 pcap.h
>> >>>
>> >>> -rw-r--r-- 1 root root  2125 Feb 21 19:51 pcap-namedb.h
>> >>>
>> >>> -rw-r--r-- 1 root root 57700 Feb 21 19:51 pfring.h
>> >>>
>> >>> -rw-r--r-- 1 root root 12321 Feb 21 19:51 pfring_mod_sysdig.h
>> >>>
>> >>> -rw-r--r-- 1 root root 20974 Feb 21 19:51 pfring_zc.h
>> >>>
>> >>>
>> >>> ls -l /usr/local/pfring/lib/
>> >>>
>> >>> total 1928
>> >>>
>> >>> -rw-r--r-- 1 root root 412264 Feb 21 19:51 libpcap.a
>> >>>
>> >>> lrwxrwxrwx 1 root root     12 Feb 21 19:51 libpcap.so -> libpcap.so.1
>> >>>
>> >>> lrwxrwxrwx 1 root root     16 Feb 21 19:51 libpcap.so.1 ->
>> >>> libpcap.so.1.1.1
>> >>>
>> >>> -rwxr-xr-x 1 root root 609569 Feb 21 19:51 libpcap.so.1.1.1
>> >>>
>> >>> -rw-r--r-- 1 root root 537384 Feb 21 19:51 libpfring.a
>> >>>
>> >>> -rwxr-xr-x 1 root root 407811 Feb 21 19:51 libpfring.so
>> >>>
>> >>>
>> >>> Has anyone else had this issue?
>> >>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >>> Site: http://suricata-ids.org | Support:
>> >>> http://suricata-ids.org/support/
>> >>> List:
>> >>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>> Training now available: http://suricata-ids.org/training/
>> >>
>> >>
>> >> How did you compile/install pf-ring?
>> >>
>> >> Did you follow the instructions here -
>> >>
>> >> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1204#Pre-installation-requirements
>> >>
>> >>
>> >>
>> >> Thanks
>> >>
>> >>
>> >> --
>> >> Regards,
>> >> Peter Manev
>> >> _______________________________________________
>> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >> Site: http://suricata-ids.org | Support:
>> >> http://suricata-ids.org/support/
>> >> List:
>> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> Training now available: http://suricata-ids.org/training/
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>



More information about the Oisf-users mailing list