Re: Updated IP Blacklisting patch (version 2)

[Eoin Miller <eoin.miller () trojanedbinaries com>]

We were having some compile issues issues with the new iplist.patch file
on Ubuntu 8.04.2 LTS:

/src/foo/snort-2.8.4.1# patch -p1 < iplist.patch
/src/foo/snort-2.8.4.1# automake
configure.in:7: version mismatch.  This is Automake 1.10.1,
configure.in:7: but the definition used by this AM_INIT_AUTOMAKE
configure.in:7: comes from Automake 1.10.  You should recreate
configure.in:7: aclocal.m4 with aclocal and run automake again.
/src/foo/snort-2.8.4.1# autoconf
/src/foo/snort-2.8.4.1# ./configure --enable-iplist
/src/foo/snort-2.8.4.1# make

/bin/bash ../libtool --tag=CC   --mode=link gcc  -g -O2 -Wall
-DDYNAMIC_PLUGIN -fno-strict-aliasing  -L/usr/lib -lpcre -L/usr/lib
-ldumbnet -o snort codes.o debug.o decode.o log.o mstring.o parser.o
profiler.o plugbase.o snort.o snprintf.o strlcatu.o strlcpyu.o tag.o
util.o detect.o signature.o mempool.o sf_sdlist.o fpcreate.o fpdetect.o
pcrm.o byte_extract.o sfthreshold.o packet_time.o event_wrapper.o
event_queue.o inline.o ppm.o log_text.o output-plugins/libspo.a
detection-plugins/libspd.a dynamic-plugins/libdynamic.a
preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a
preprocessors/HttpInspect/libhttp_inspect.a
preprocessors/Stream5/libstream5.a sfutil/libsfutil.a -ldl -lpcre -lpcap
-lm -lnsl  -ldl
mkdir .libs
gcc -g -O2 -Wall -DDYNAMIC_PLUGIN -fno-strict-aliasing -o snort codes.o
debug.o decode.o log.o mstring.o parser.o profiler.o plugbase.o snort.o
snprintf.o strlcatu.o strlcpyu.o tag.o util.o detect.o signature.o
mempool.o sf_sdlist.o fpcreate.o fpdetect.o pcrm.o byte_extract.o
sfthreshold.o packet_time.o event_wrapper.o event_queue.o inline.o ppm.o
log_text.o  -L/usr/lib /usr/lib/libdumbnet.so output-plugins/libspo.a
detection-plugins/libspd.a dynamic-plugins/libdynamic.a
preprocessors/libspp.a parser/libparser.a target-based/libtarget_based.a
preprocessors/HttpInspect/libhttp_inspect.a
preprocessors/Stream5/libstream5.a sfutil/libsfutil.a -lpcre -lpcap -lm
-lnsl -ldl   -Wl,--rpath -Wl,/usr/lib -Wl,--rpath -Wl,/usr/lib
plugbase.o: In function `InitPreprocessors':
/home/rem/src/foo/snort-2.8.4.1/src/plugbase.c:562: undefined reference
to `SetupIpList'
collect2: ld returned 1 exit status
make[3]: *** [snort] Error 1
make[3]: Leaving directory `/src/foo/snort-2.8.4.1/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/src/foo/snort-2.8.4.1/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/src/foo/snort-2.8.4.1'
make: *** [all] Error 2


So to make it compile on our test box, we did the following:

# patch -p1 < iplist.patch
# aclocal
configure.in:1050: warning: macro `AM_PATH_LIBPRELUDE' not found in library
# automake
# autoconf
configure.in:1050: error: possibly undefined macro: AM_PATH_LIBPRELUDE
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
# ./configure --enable-iplist
--snip--
./configure: line 25766: syntax error near unexpected token `0.9.6,'
./configure: line 25766: `    AM_PATH_LIBPRELUDE(0.9.6,
use_prelude="yes", use_prelude="no")'
--snip--


So to fix this, we commented out  lines 25765-25777 in the configure file:

#if test "x$enable_prelude" = "xyes"; then
#    AM_PATH_LIBPRELUDE(0.9.6, use_prelude="yes", use_prelude="no")
#    if test "$use_prelude" = "yes"; then
#        LDFLAGS="${LDFLAGS} ${LIBPRELUDE_LDFLAGS}"
#        LIBS="$LIBS ${LIBPRELUDE_LIBS}"
#        CFLAGS="$CFLAGS ${LIBPRELUDE_PTHREAD_CFLAGS}"

#cat >>confdefs.h <<\_ACEOF
##define HAVE_LIBPRELUDE
#_ACEOF
#
#    fi
#fi


After this, everything comes up roses:

# ./configure --enable-iplist
# make
# make install


Best guess from myself (who is a fish out of water here) is the autoconf
version of the aclocal.m4 file conversion goes fine when you run it
through aclocal, but it doesn't convert the contents of the
m4/libprelude.m4 file. I couldn't figure out what else needs to be done.
I don't know how old automake 1.10 is, but Ubuntu 8.04 LTS uses 1.10.1
if all patches are applied and current:

# automake --version
automake (GNU automake) 1.10.1


Hope others might find this info useful.

--
Eoin Miller
eoin.miller () trojanedbinaries com



Martin Roesch wrote:
> Hey everyone,
>
> I had 9 hours to kill flying back to Europe this weekend so I updated
> the IP Blacklisting patch and it's now available.  You can get it
> here:
>
> http://www.snort.org/users/roesch/code/iplist.patch.v2.tgz
>
> What's new?
>
> I rewrote the config loader and the event generation code to support
> named blacklists and loading IP lists from external files.  With these
> two mods you now get the blacklist name included in the event messages
> when a banned IP tries to access the network AND you can load however
> many blacklisted IPs you like, potentially hundreds of thousands (at
> least).  Check out the README.iplist file that comes with it for
> config instructions.  Note that whitelists do NOT take names, they're
> just exceptions to the blacklist anyway.
>
> As per usual, this has received minimal testing and NO performance
> testing.  May cause cramping, bowel discomfort and spontaneous
> decapitation, use at your own risk, your mileage may vary, etc.  It's
> a small piece of code but I may have missed something, feel free to
> send feedback and I'll fix it if you find anything seriously broken.
>
> I still haven't done flexresp-style session sniping nor does it load
> IPv6 addresses yet.  Maybe in v3.
>
> Enjoy!
>
> Marty


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users