[Oisf-users] Suricata compilation issues with pf_ring

Spransy, Derek dsprans at emory.edu
Wed Sep 23 02:12:05 UTC 2015

That's exactly the step that I was missing, thank you for the pointer!

From: Shirkdog <shirkdog at gmail.com>
Sent: Tuesday, September 22, 2015 9:50 PM
To: Spransy, Derek
Cc: oisf-users at lists.openinfosecfoundation.org; Jason Ish
Subject: Re: [Oisf-users] Suricata compilation issues with pf_ring

Make sure you build the libpcap that comes with the pf_ring source code and link to that when building suricata.

On Sep 22, 2015 9:48 PM, "Spransy, Derek" <dsprans at emory.edu<mailto:dsprans at emory.edu>> wrote:
Thanks Jason. Would you also mind sharing the configure statement you used? I updated all of the pf_ring modules to the latest nightly build. Configure now gets past the pf_ring linking stage (maybe a previous pf_ring install issue?) without the LIBS variable being defined, but it's still failing with libcap-ng-devel and nspr-devel.

checking for capng_clear in -lcap-ng... no

   WARNING!  libcap-ng library not found, go get it
   from http://people.redhat.com/sgrubb/libcap-ng/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpeople.redhat.com%2fsgrubb%2flibcap-ng%2f&data=01%7c01%7cdsprans%40emory.edu%7c7e0e459f0d084ff27a8b08d2c3b9571b%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=RI3qa49Pf1KEYosxkkZhMddY5qtDhAvBZKvv9zAm6Nc%3d>
   or your distribution:

   Ubuntu: apt-get install libcap-ng-dev
   Fedora: yum install libcap-ng-devel

   Suricata will be built without support for dropping privs.

checking for libnspr... yes
checking nspr.h usability... yes
checking nspr.h presence... yes
checking for nspr.h... yes
checking for PR_GetCurrentThread in -lnspr4... no

   ERROR!  libnspr library not found, go get it
   from Mozilla or your distribution:

   Ubuntu: apt-get install libnspr4-dev
   Fedora: yum install nspr-devel

However, interestingly, if I compile suricate 2.1beta4 it compiles without issue. Does anyone know if something changed in the linking for these two modules between 2.0.8 and 2.1beta?

From: Spransy, Derek
Sent: Tuesday, September 22, 2015 9:22 AM
To: Jason Ish
Cc: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Suricata compilation issues with pf_ring

Hi Jason,

Can you share which pf_ring packages you've used? I've also installed pf_ring via packages rather than compiling. Here's what I currently have installed:



From: lists at ish.cx<mailto:lists at ish.cx> <lists at ish.cx<mailto:lists at ish.cx>> on behalf of Jason Ish <lists at unx.ca<mailto:lists at unx.ca>>
Sent: Monday, September 21, 2015 5:15 PM
To: Spransy, Derek
Cc: oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Suricata compilation issues with pf_ring

On Mon, Sep 21, 2015 at 12:53 PM, Spransy, Derek <dsprans at emory.edu<mailto:dsprans at emory.edu>> wrote:
> Hello all,
> My apologies if this has been asked and answered previously, but I'm new to the list. I'm attempting to compile Suricata 2.0.8 on RHEL 7 with pf_ring (zero-copy) support. I encountered some problems while running configure during the linking of the pf_ring libraries. I found another listserv post that suggested setting LIBS="-lrt -lnuma" prior to running configure. This does indeed get me past the problems linking pf_ring, but later on I believe it causes issues with linking libpcap and file. The necessary packages are installed, and if I compile Suricata without pf_ring support, everything configures and compiles as expected.
> Here's a link to the output that I get when I compile with the LIBS variable defined, and without:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpastebin.com%2f8TfCAJQ3&data=01%7c01%7cdsprans%40emory.edu%7cac5588eb7ee8415de6bf08d2c2c9bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=6bpl2CgNcGTShjQont1TDbus3VZ0YzXwzCjMnww8utk%3d
> And here's a snipped of the errors in config.log when run configure with and without the LIBS variable defined:
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpastebin.com%2fSFz0GR26&data=01%7c01%7cdsprans%40emory.edu%7cac5588eb7ee8415de6bf08d2c2c9bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=hB4fdb%2fWMZNI0%2fCHkYoYbUx7mA29v%2flI8LmdABlJNn0%3d
> If anyone has seen this previously, can you suggest a workaround? Any help would be appreciated!

I wonder if this has more to do with how PF_RING was built?  I just
used the PF_RING packages for CentOS 7 and build Suricata just fine,
then I built it PF_RING with the latest git checkout and it built just
fine again - I also checked to make sure it was linking against the
pfring enabled libpcap.

Sorry I don't have a better answer for you at this time.


This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org&data=01%7c01%7cdsprans%40emory.edu%7c7e0e459f0d084ff27a8b08d2c3b9571b%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=x68R9ardiZll9KyUVx%2fg%2fFZpdgeUqhJ79YY%2f%2bv4hbmg%3d> | Support: http://suricata-ids.org/support/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fsuricata-ids.org%2fsupport%2f&data=01%7c01%7cdsprans%40emory.edu%7c7e0e459f0d084ff27a8b08d2c3b9571b%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=H1zocoIpOFLcVx%2f8930%2fOMXo6pE7wk2sx3SeIwOahEw%3d>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2flists.openinfosecfoundation.org%2fmailman%2flistinfo%2foisf-users&data=01%7c01%7cdsprans%40emory.edu%7c7e0e459f0d084ff27a8b08d2c3b9571b%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=CEHUzStodTviW%2bReAchFCLZAUJ%2b80i0p16527QSwHng%3d>
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2foisfevents.net&data=01%7c01%7cdsprans%40emory.edu%7c7e0e459f0d084ff27a8b08d2c3b9571b%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=3ttxZ1xVFZxrwmUaOKsEQxCXtF1UIX4O6BBGeo1Rh2o%3d>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150923/f8e5826b/attachment-0002.html>

More information about the Oisf-users mailing list