Loading pcre 7 was no help. Then discovered it was an ldconfig problem.
RedHat EL 3 has pcre 3.9 in /lib, and even though I built Snort against a newer
version of pcre in /usr/local/lib, like this...
./configure --with-libpcap-includes=/usr/local/include
--with-libpcap-libraries=/usr/local/lib
--with-libpcre-includes=/usr/local/include
--with-libpcre-libraries=/usr/local/lib
It was apparently still loading libpcre from /lib, not /usr/local/lib.
Before...
ldd /usr/local/bin/snort
libpcre.so.0 => /lib/libpcre.so.0 (0x004f6000)
libm.so.6 => /lib/tls/libm.so.6 (0x00e6a000)
libnsl.so.1 => /lib/libnsl.so.1 (0x007d9000)
libc.so.6 => /lib/tls/libc.so.6 (0x00111000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x006c1000)
After putting /usr/local/bin on the first line in /etc/ld.so.conf and running
ldconfig. Snort looks in /usr/local/lib.
ldd /usr/local/bin/snort
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x00549000)
libm.so.6 => /lib/tls/libm.so.6 (0x00c7e000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00b35000)
libc.so.6 => /lib/tls/libc.so.6 (0x00df2000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x009c2000)
Now Snort loads the new VRT rules.
But I wonder what I've broken in the meantime by having /usr/local/lib listed
first in ld.so.conf?
Is there a unique LIBRARY_PATH variable for Snort, for him to use
/usr/local/lib?
Z
> ----- Original Message -----
> From: "Matthew Watchinski" <mwatchinski@sourcefire.com>
> To: Zultan <zultan@mad.scientist.com>
> Subject: Re: [Snort-users] (no subject)
> Date: Thu, 12 Apr 2007 19:24:21 -0400
>
>
> Can you send in the following.
>
> The output from "pcre-config --version"
> What version of snort your running
> Did you compile snort from source?
> What OS are you on.
> The sid and rev of the rule on line 661,664,701
> Did you compile pcre from source?
>
> We've had a couple emails on this and it looks like some platforms have
> a really old / broken libpcre on them that doesn't support named captures.
>
> Something you can try is downloading the source packages for pcre from
> www.pcre.org and building and installing them. Then rebuilding snort
>
> I've tested 6.5,6.6,7.0 and they all work when built from source.
>
> Cheers,
> -matt
>
> Zultan wrote:
> > When running #snort -Tc /etc/snort/snort.cong on the latest VRT rules
> > update (2007-04-10), prce complains. Here are the first 3 that fail.
> > There are many others that fails in web-client.rules. My pcre version is
> > 6.6
> >
> >
> > ERROR: /etc/snort/web-client.rules(661) : pcre compile of
> > "1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)"
> > failed at offset 15 : unrecognized character after
> > (?
> > Fatal Error, Quitting..
> >
> > ERROR: /etc/snort/web-client.rules(664) : pcre compile of
> > "1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)"
> > failed at offset 15 : unrecognized character after
> > (?
> > Fatal Error, Quitting..
> >
> > ERROR: /etc/snort/web-client.rules(701) : pcre compile of
> > "1([^>]\x00)*1(?P<q3>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q3)(?=\s\x00|>\x00)"
> > failed at offset 15 : unrecognized character after
> > (?
> > Fatal Error, Quitting..
> >
> >
> > Z
> >
> > =
> > Search for products and services at: http://search.mail.com
> >
> > -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share your
> > opinions on IT & business topics through brief surveys-and earn cash
> > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
=
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|