Snort doesn't start. Displays error "...endrpcent: symbol not found"

For Developers
1

Hello,

I use RPi4 for a home router.

Version:

 ~ # cat / etc / openwrt_release
DISTRIB_ID = 'OpenWrt'
DISTRIB_RELEASE = '21 .02.0 '
DISTRIB_REVISION = 'r16279-5cc0535800'
DISTRIB_TARGET = 'bcm27xx / bcm2711'
DISTRIB_ARCH = 'aarch64_cortex-a72'
DISTRIB_DESCRIPTION = 'OpenWrt 21.02.0 r16279-5cc0535800'

I installed and configured snort according to the documentation on the site.
When executing the following command:

~ # snort -c /etc/snort/snort.conf -i "lo" --daq-dir / usr / lib / daq
Running in IDS mode

        - == Initializing Snort == -
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/etc/snort/snort.conf"
PortVar 'HTTP_PORTS' defined: [80:81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000: 7001 7144: 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090: 9091 9443 9999 11371 34443: 34444 41080 50002 55555]
PortVar 'SHELLCODE_PORTS' defined: [0:79 81: 65535]
PortVar 'ORACLE_PORTS' defined: [1024: 65535]
PortVar 'SSH_PORTS' defined: [22]
PortVar 'FTP_PORTS' defined: [21 2100 3535]
PortVar 'SIP_PORTS' defined: [5060: 5061 5600]
PortVar 'FILE_DATA_PORTS' defined: [80:81 110 143 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000: 7001 7144: 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8011 8 8180: 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090: 9091 9443 9999 11371 34443: 34444 41080 50002 55555]
PortVar 'GTP_PORTS' defined: [2123 2152 3386]
Detection:
   Search-Method = AC-Full-Q
    Split Any / Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so ... done
Loading all dynamic preprocessor libs from / usr / lib / snort_dynamicpreprocessor ...
  Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so ... ERROR: Failed to load /usr/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so: Error relocating /usr/lib/snort_dynam found
Fatal Error, Quitting ..

i did the ldd on libsf_appid_preproc.so

~ # ldd /usr/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so
        ldd (0x7fba33d000)
        libluajit-5.1.so.2 => /usr/lib/libluajit-5.1.so.2 (0x7fb9cf6000)
        libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x7fb9cbd000)
        libdnet.so.1 => /usr/lib/libdnet.so.1 (0x7fb9c9d000)
        libpcre.so.1 => /usr/lib/libpcre.so.1 (0x7fb9c56000)
        libpcap.so.1 => /usr/lib/libpcap.so.1 (0x7fb9c0c000)
        libuuid.so.1 => /usr/lib/libuuid.so.1 (0x7fb9bf5000)
        libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x7fb998a000)
        libdaq.so.4 => /usr/lib/libdaq.so.4 (0x7fb9975000)
        libz.so.1 => /usr/lib/libz.so.1 (0x7fb9950000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x7fb992d000)
        libc.so => ​​ldd (0x7fba33d000)
Error relocating /usr/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so endrpcent: symbol not found
Error relocating /usr/lib/snort_dynamicpreprocessor/libsf_appid_preproc.so getrpcent: symbol not found

I downloaded the package from rc1 to rc4, md5sum the sums of all are the same.

Is this expected to be fixed soon?

Regards,

2

I just ran into this as well in openwrt 22.03. Since its a pretty standard linking error, I went ahead and put a patch together for it. I've only tested this on Snort 2.9.19 and openwrt 22.03, though it looks like the package is unchanged in the master branch. Here's the updated patch:

ubuntu@builder:~/openwrt-22.03/feeds/packages/net/snort$ cat patches/003-include-tirpc.patch 
--- a/src/dynamic-preprocessors/appid/service_plugins/service_rpc.c
+++ b/src/dynamic-preprocessors/appid/service_plugins/service_rpc.c
@@ -32,6 +32,7 @@
 #include "flow.h"
 #include "service_api.h"
 
+#include <tirpc/rpc/rpcent.h>
 #if defined(FREEBSD) || defined(OPENBSD)
 #include "rpc/rpc.h"
 #endif
--- a/configure.in
+++ b/configure.in
@@ -890,6 +890,11 @@ if test "x$enable_dlclose" = "xno"; then
 fi
 
 ##################################################
+# openwrt needs libtirpc to be linked
+##################################################
+LIBS="${LIBS} -ltirpc"
+
+##################################################
 # Fedora 28+ does not have inbuilt SunRPC support#
 # in glibc and is separately availble in tirpc   #
 # package. Make sure we've got the library and   #

This is essentially a hack, so will likely need some work before being upstreamed. You can also use snort 3 if you don't want to compile yourself (or wait for it to be upstreamed), which is what I assume most people are using these days and should be working on all supported targets.