Snort 2.4.5 and 2.6.0 Final Now Available Jennifer Steffens (Sourcefire) @ June 05, 2006 18:18:17 The Snort Team is pleased to announce the release of Snort 2.4.5 and Snort 2.6.0 Final. The Snort Team would like to thank all those who tested the Snort 2.6 release candidates and provided valuable feedback and bug reports. Snort 2.6 is the way of the future for Snort development and its release signifies the end of life for development on the Snort 2.4 branch. These releases have better performance, numerous new features and incorporate many bug fixes. Notable bug fixes and improvements include: ---- New ebuild needed to add this new version to portage.
snort is a complex package and we're not just talking about a minor version bump here, so a 2.6 ebuild will need extensive testing before making it into the tree.
Created attachment 88958 [details] snort-2.6.0 ebuild I have copied the 2.4.4 ebuild and changed it for 2.6.0 where I know it needs to be changed: Added new compile flag for dynamic plugins; Removed the 2.4 genpatch line; Added dependency on libtool-1.4 per the release notes.
Tried to compile this with the ebuild and it failed. Emerge info and errors here: Portage 2.0.54-r2 (default-linux/x86/2006.0, gcc-3.3.6, glibc-2.3.6-r3, 2.6.12-gentoo-r6 i686) ================================================================= System uname: 2.6.12-gentoo-r6 i686 Intel(R) XEON(TM) CPU 1.80GHz Gentoo Base System version 1.6.14 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] dev-lang/python: 2.3.5-r2, 2.4.2 dev-python/pycrypto: [Not Present] dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X alsa apache2 apm arts audiofile avi berkdb bitmap bitmap-fonts bonobo bzip2 cdr cgi cli crypt cups curl dbm dri dvd dvdr eds emboss encode esd ethereal exif expat fam flac foomaticdb fortran gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile idn imagemagick imlib isdnlog java jpeg kde kerberos lcms ldap libg++ libwww mad mhash mikmod mng motif mozilla mp3 mpeg mysql ncurses nls nptl odbc ogg openal opengl oss pam pcre pdflib perl php png ppds pppd python qt quicktime readline reflection ruby samba scanner sdl session slang snmp spell spl sqlite ssl svg tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts udev usb vorbis xine xml xml2 xmms xorg xv zlib userland_GNU kernel_linux elibc_glibc" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTAGE_RSYNC_OPTS ... /bin/sh ../../../libtool --tag=CC --mode=link i686-pc-linux-gnu-gcc -O2 -march=i686 -fomit-frame-pointer -pipe -Wall -DDYNAMIC_PLUGIN -L/usr/lib -lpcre -L/usr/lib -L/usr/lib -o libsf_ftptelnet_preproc.la -rpath /usr/lib/snort_dynamicpreprocessor -module ftp_bounce_lookup.lo ftp_cmd_lookup.lo ftpp_eo_log.lo ftpp_si.lo ftpp_ui_client_lookup.lo ftpp_ui_config.lo ftpp_ui_server_lookup.lo hi_util_kmap.lo hi_util_xmalloc.lo pp_ftp.lo pp_telnet.lo snort_ftptelnet.lo spp_ftptelnet.lo sf_dynamic_preproc_lib.lo -ldl -lmysqlclient -lz -lpcre -lpcap -lm -lnsl -lodbc -ldl i686-pc-linux-gnu-gcc -shared .libs/ftp_bounce_lookup.o .libs/ftp_cmd_lookup.o .libs/ftpp_eo_log.o .libs/ftpp_si.o .libs/ftpp_ui_client_lookup.o .libs/ftpp_ui_config.o .libs/ftpp_ui_server_lookup.o .libs/hi_util_kmap.o .libs/hi_util_xmalloc.o .libs/pp_ftp.o .libs/pp_telnet.o .libs/spp_ftptelnet.o .libs/sf_dynamic_preproc_lib.o -L/usr/lib -lmysqlclient -lz /usr/lib/libpcre.so -lpcap -lm -lnsl /usr/lib/libodbc.so -ldl -march=i686 -Wl,-soname -Wl,libsf_ftptelnet_preproc.so.0 -o .libs/libsf_ftptelnet_preproc.so.0.0.0 (cd .libs && rm -f libsf_ftptelnet_preproc.so.0 && ln -s libsf_ftptelnet_preproc.so.0.0.0 libsf_ftptelnet_preproc.so.0) (cd .libs && rm -f libsf_ftptelnet_preproc.so && ln -s libsf_ftptelnet_preproc.so.0.0.0 libsf_ftptelnet_preproc.so) i686-pc-linux-gnu-ar cru .libs/libsf_ftptelnet_preproc.a ftp_bounce_lookup.o ftp_cmd_lookup.o ftpp_eo_log.o ftpp_si.o ftpp_ui_client_lookup.o ftpp_ui_config.o ftpp_ui_server_lookup.o hi_util_kmap.o hi_util_xmalloc.o pp_ftp.o pp_telnet.o snort_ftptelnet.o spp_ftptelnet.o sf_dynamic_preproc_lib.o i686-pc-linux-gnu-ranlib .libs/libsf_ftptelnet_preproc.a creating libsf_ftptelnet_preproc.la libtool: link: `snort_ftptelnet.lo' is not a valid libtool object make[7]: *** [libsf_ftptelnet_preproc.la] Error 1 make[7]: Leaving directory `/var/tmp/portage/snort-2.6.0/work/snort-2.6.0/src/dynamic-preprocessors/ftptelnet' make[6]: *** [all-local] Error 2 make[6]: *** Waiting for unfinished jobs.... (cd .libs && rm -f libsf_ftptelnet_preproc.la && ln -s ../libsf_ftptelnet_preproc.la libsf_ftptelnet_preproc.la) make[6]: Leaving directory `/var/tmp/portage/snort-2.6.0/work/snort-2.6.0/src/dynamic-preprocessors/ftptelnet' make[5]: *** [all] Error 2 make[5]: Leaving directory `/var/tmp/portage/snort-2.6.0/work/snort-2.6.0/src/dynamic-preprocessors/ftptelnet' make[4]: *** [all-recursive] Error 1 make[4]: Leaving directory `/var/tmp/portage/snort-2.6.0/work/snort-2.6.0/src/dynamic-preprocessors' make[3]: *** [all] Error 2 make[3]: Leaving directory `/var/tmp/portage/snort-2.6.0/work/snort-2.6.0/src/dynamic-preprocessors' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/snort-2.6.0/work/snort-2.6.0/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/snort-2.6.0/work/snort-2.6.0' make: *** [all] Error 2 !!! ERROR: net-analyzer/snort-2.6.0 failed. !!! Function src_compile, Line 97, Exitcode 2 !!! compile problem !!! If you need support, post the topmost build error, NOT this status message.
Tried to compile the source on my own from the .tar.gz file and no errors. When I cd to /var/tmp/portage/snort-2.6.0/work/snort-2.6.0 and to a make, I get no errors.
Your ebuild problem was probably related to this
Your ebuild problem was probably related to this make[6]: *** Waiting for unfinished jobs.... Try setting your MAKEOPTS to MAKEOPTS="-j1" (In reply to comment #4) > Tried to compile the source on my own from the .tar.gz file and no errors. > > When I cd to /var/tmp/portage/snort-2.6.0/work/snort-2.6.0 and to a make, I get > no errors. >
Created attachment 89814 [details] snort-2.6.0 ebuild I have attached a new ebuild for snort 2.6. This ebuild includes the following new USE options
Created attachment 89814 [details] snort-2.6.0 ebuild I have attached a new ebuild for snort 2.6. This ebuild includes the following new USE options? dynamicplugin timestats perfprofiling linux-smp-stats use.local.desc should be updated as follows? net-analyzer/snort:dynamicplugin - Enable ability to dynamically load preprocessors, detection engine, and rules lib net-analyzer/snort:timestats - Enable TimeStats functionality net-analyzer/snort:perfprofiling - Enable preprocessor and rule performance profiling net-analyzer/snort:linux-smp-stats - Enable statistics reporting through proc on smp systems Added dodoc for the RELEASE.NOTES Added extensive ewarn/einfo. There are a lot of new features in 2.6, many of which require a lot of new stuff in snort.conf. I have done extensive testing on 2.6 for my job. The default config for the new pattern matcher is ?config detection: search-method ac?. I have seen this bring a server with 1Gb ram and 1Gb swap to its knees even using only 100 rules and NO preprocessors. I have also seen the kernel kill snort after 30 seconds because it is trying to use more ram+swap than is available. They said the new matcher uses more memory? from what I have seen that is quite an understatement. I have found the using 'config detection: search-method ac-sparsebands' instead provide very good performance using the new pattern matcher with a lot less memory usage, so I added that as a suggestion. Also added the location to the release.notes Removed the ?if use mysql || use postgres || use odbc ; then? because barnyard users do not need DB support in snort and my not set those use flags and thus not see the einfo. However, the schema info would still be useful to them. Removed the link to the gentoo forums, since that info is quite outdated, and not overly relevant for 2.6. I think that is it. Anyone with time to test this ebuild, please do so. Wally
added myself to the cc list
(In reply to comment #6) > Created an attachment (id=89814) [edit] > Ebuild for snort-2.6.0 My only suggestion for this ebuild is to change the DEPEND line "net-libs/libpcap" to "virtual/libpcap" for those of us that use libpcap-ringbuffer (which has been updated and fixed but not pushed into portage yet...see bug #117898).
Created attachment 91072 [details] snort-2.6.0.ebuild >>My only suggestion for this ebuild is to change the DEPEND line >>"net-libs/libpcap" to "virtual/libpcap" for those of us that use >>libpcap-ringbuffer Good catch. They had not commited my ringbuffer ebuild when I submitted the snort-2.6.0 ebuild. I made the change to use virtual/libpcap. Worked for me with both versions of libpcap. If you do a 'emerge snort' and no libpcap exsists it will pull net-libs/libpcap If you do 'emerge libpcap-ringbuffer snort' it will pull libpcap-ringbuffer and not libpcap. If either versions of libpcap exsist it will use the one currently installed. This seems to be an appropriate behavior IMO. Wally
Hi, Just added the last ebuild to the tree, it is currently in package.mask for testing. Thanks!
As it is in tree, RESOLVED ;)
