[Oisf-users] Suricata compilation issues with pf_ring

Peter Manev petermanev at gmail.com
Wed Sep 23 13:07:59 UTC 2015


On Wed, Sep 23, 2015 at 4:12 AM, Spransy, Derek <dsprans at emory.edu> wrote:
> That's exactly the step that I was missing, thank you for the pointer!

Derek were you following any particular pf_ring build guide ?

Thank you

>
>
> ________________________________
> From: Shirkdog <shirkdog at gmail.com>
> Sent: Tuesday, September 22, 2015 9:50 PM
> To: Spransy, Derek
> Cc: oisf-users at lists.openinfosecfoundation.org; Jason Ish
>
> Subject: Re: [Oisf-users] Suricata compilation issues with pf_ring
>
>
> Make sure you build the libpcap that comes with the pf_ring source code and
> link to that when building suricata.
>
> On Sep 22, 2015 9:48 PM, "Spransy, Derek" <dsprans at emory.edu> wrote:
>>
>> Thanks Jason. Would you also mind sharing the configure statement you
>> used? I updated all of the pf_ring modules to the latest nightly build.
>> Configure now gets past the pf_ring linking stage (maybe a previous pf_ring
>> install issue?) without the LIBS variable being defined, but it's still
>> failing with libcap-ng-devel and nspr-devel.
>>
>> checking for capng_clear in -lcap-ng... no
>>
>>    WARNING!  libcap-ng library not found, go get it
>>    from http://people.redhat.com/sgrubb/libcap-ng/
>>    or your distribution:
>>
>>    Ubuntu: apt-get install libcap-ng-dev
>>    Fedora: yum install libcap-ng-devel
>>
>>    Suricata will be built without support for dropping privs.
>>
>> checking for libnspr... yes
>> checking nspr.h usability... yes
>> checking nspr.h presence... yes
>> checking for nspr.h... yes
>> checking for PR_GetCurrentThread in -lnspr4... no
>>
>>    ERROR!  libnspr library not found, go get it
>>    from Mozilla or your distribution:
>>
>>    Ubuntu: apt-get install libnspr4-dev
>>    Fedora: yum install nspr-devel
>>
>> However, interestingly, if I compile suricate 2.1beta4 it compiles without
>> issue. Does anyone know if something changed in the linking for these two
>> modules between 2.0.8 and 2.1beta?
>>
>> ________________________________________
>> From: Spransy, Derek
>> Sent: Tuesday, September 22, 2015 9:22 AM
>> To: Jason Ish
>> Cc: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata compilation issues with pf_ring
>>
>> Hi Jason,
>>
>> Can you share which pf_ring packages you've used? I've also installed
>> pf_ring via packages rather than compiling. Here's what I currently have
>> installed:
>>
>> pfring-6.1.1-58.x86_64
>> pfring-drivers-zc-dkms-1.2-0.noarch
>> pfring-dkms-6.1.1-156.noarch
>> e1000e-zc-3.0.4.1.162-1dkms.noarch.rpm
>> i40e-zc-1.1.23.162-1dkms.noarch.rpm
>> pfring-drivers-zc-dkms-1.2-0.noarch.rpm
>> igb-zc-5.2.5.162-1dkms.noarch.rpm
>> ixgbe-zc-3.22.3.156-1dkms.noarch.rpm
>>
>> Thanks
>>
>> ________________________________________
>> From: lists at ish.cx <lists at ish.cx> on behalf of Jason Ish <lists at unx.ca>
>> Sent: Monday, September 21, 2015 5:15 PM
>> To: Spransy, Derek
>> Cc: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata compilation issues with pf_ring
>>
>> On Mon, Sep 21, 2015 at 12:53 PM, Spransy, Derek <dsprans at emory.edu>
>> wrote:
>> > Hello all,
>> >
>> > My apologies if this has been asked and answered previously, but I'm new
>> > to the list. I'm attempting to compile Suricata 2.0.8 on RHEL 7 with pf_ring
>> > (zero-copy) support. I encountered some problems while running configure
>> > during the linking of the pf_ring libraries. I found another listserv post
>> > that suggested setting LIBS="-lrt -lnuma" prior to running configure. This
>> > does indeed get me past the problems linking pf_ring, but later on I believe
>> > it causes issues with linking libpcap and file. The necessary packages are
>> > installed, and if I compile Suricata without pf_ring support, everything
>> > configures and compiles as expected.
>> >
>> > Here's a link to the output that I get when I compile with the LIBS
>> > variable defined, and without:
>> >
>> > https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpastebin.com%2f8TfCAJQ3&data=01%7c01%7cdsprans%40emory.edu%7cac5588eb7ee8415de6bf08d2c2c9bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=6bpl2CgNcGTShjQont1TDbus3VZ0YzXwzCjMnww8utk%3d
>> >
>> > And here's a snipped of the errors in config.log when run configure with
>> > and without the LIBS variable defined:
>> >
>> > https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fpastebin.com%2fSFz0GR26&data=01%7c01%7cdsprans%40emory.edu%7cac5588eb7ee8415de6bf08d2c2c9bdc1%7ce004fb9cb0a4424fbcd0322606d5df38%7c1&sdata=hB4fdb%2fWMZNI0%2fCHkYoYbUx7mA29v%2flI8LmdABlJNn0%3d
>> >
>> > If anyone has seen this previously, can you suggest a workaround? Any
>> > help would be appreciated!
>>
>> I wonder if this has more to do with how PF_RING was built?  I just
>> used the PF_RING packages for CentOS 7 and build Suricata just fine,
>> then I built it PF_RING with the latest git checkout and it built just
>> fine again - I also checked to make sure it was linking against the
>> pfring enabled libpcap.
>>
>> Sorry I don't have a better answer for you at this time.
>>
>> ________________________________
>>
>> This e-mail message (including any attachments) is for the sole use of
>> the intended recipient(s) and may contain confidential and privileged
>> information. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution
>> or copying of this message (including any attachments) is strictly
>> prohibited.
>>
>> If you have received this message in error, please contact
>> the sender by reply e-mail message and destroy all copies of the
>> original message (including attachments).
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Suricata User Conference November 4 & 5 in Barcelona:
>> http://oisfevents.net
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list