Snort on openwrt (23.05.3)

Whats up with the snort package(s)? Seems only snort 2 is available.

Wiki states

Packages for both Snort 2.x as well as Snort 3.x are currently available. This page is focused exclusively on the 3.x series.

Makes things quite confusing. packages for snort3 are not available in 23.05.3.

[heavily edited reply now]

snort v2 was deprecated from snapshot in January '24, leaving only snort3. But you're right, snort3 isn't in 23.05.3 - and that is confusing!

snort3 is built in 22.x and earlier, but not in the 23 series. I have no idea why, as the package and makefile look fine when you switch to the v23.05.3 branch.

I think something is broken in the build config, make menuconfig on v23.05.xxx shows no snort entries, but if you look for it in 22.x or main, it's there and can be configured and built.

Let's see if the devs can shed some light on this: https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042642.html

Source code is your friend...

My two cents are on the backport of the HAS_LUAJIT_ARCH dependency.

Main/master shows that definition:

.config - OpenWrt Configuration
 > Search (LUAJIT) ────────────────────────────────────────────────────────────
  ┌──────────────────────────── Search Results ─────────────────────────────┐
  │ Symbol: HAS_LUAJIT_ARCH [=y]                                            │  
  │ Type  : bool                                                            │  
  │ Defined at tmp/.config-package.in:26439                                 │  
  │                                                                         │  

But 23.05 has no idea about that:

.config - OpenWrt Configuration
 > Search (LUAJIT) ───────────────────────────────────────────────────────────────
  ┌────────────────────────────── Search Results ──────────────────────────────┐
  │                                                                            │  
  │ Symbol: HAS_LUAJIT_ARCH [=HAS_LUAJIT_ARCH]                                 │  
  │ Type  : unknown                                                            │  
  │                                                                            │  

And that symbol is a hard dependency since this in master:

That requirement in snort3 has been backported into 23.05 by thuis commit

Probably @ansuel @bkpepe know more about HAS_LUAJIT_ARCH

I guess the commit has to be backported as well?

No idea, I just stumbled into the "disappearing package" and looked for reasons why snort3 does show up in menuconfig. Never used or compiled snort3 (or luajit) by myself.

One thing solved and another pops up...

@hnyman, good sleuthing. Turns out that HAS_LUAJIT_ARCH only appears in the backported snort3/Makefile. Editing the make file to remove the reference now shows snort3 in menuconfig.

But...

When I include the package in .config, the snort3 package build fails miserably, lots of missing symbols. Reported here https://github.com/openwrt/packages/issues/20994

[10/819] Building CXX object src/main/CMakeFiles/main.dir/oops_handler.cc.o
FAILED: src/main/CMakeFiles/main.dir/oops_handler.cc.o
/home/efahlgren/openwrt/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/bin/x86_64-openwrt-linux-musl-g++ -DHAVE_CONFIG_H -Dinline=inline -Drestrict=__restrict -I/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/network_inspectors -I/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src -I/home/efahlgren/openwrt/openwrt/staging_dir/target-x86_64_musl/usr/include/luajit-2.1 -I/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0 -I/home/efahlgren/openwrt/openwrt/staging_dir/host/include -I/home/efahlgren/openwrt/openwrt/staging_dir/target-x86_64_musl/usr/include/hs -I/home/efahlgren/openwrt/openwrt/staging_dir/target-x86_64_musl/usr/include/uuid -I/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/main -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0=snort3-3.1.81.0 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -I/home/efahlgren/openwrt/openwrt/staging_dir/target-x86_64_musl/usr/include/daq3 -I/home/efahlgren/openwrt/openwrt/staging_dir/target-x86_64_musl/usr/include/tirpc  -fvisibility=hidden   -DNDEBUG  -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free  -DNDEBUG -std=c++17 -MD -MT src/main/CMakeFiles/main.dir/oops_handler.cc.o -MF src/main/CMakeFiles/main.dir/oops_handler.cc.o.d -o src/main/CMakeFiles/main.dir/oops_handler.cc.o -c /home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/main/oops_handler.cc
/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/main/oops_handler.cc: In member function 'void OopsHandler::set_current_message(DAQ_Msg_h, snort::SFDAQInstance*)':
/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/main/oops_handler.cc:61:9: error: 'DIOCTL_GetPrivDataLen' was not declared in this scope
   61 |         DIOCTL_GetPrivDataLen ioctl_data = {cur_msg,  0};
      |         ^~~~~~~~~~~~~~~~~~~~~
/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/main/oops_handler.cc:62:48: error: 'DIOCTL_GET_PRIV_DATA_LEN' was not declared in this scope
   62 |         if (DAQ_SUCCESS == daq_instance->ioctl(DIOCTL_GET_PRIV_DATA_LEN, &ioctl_data, sizeof(ioctl_data)))
      |                                                ^~~~~~~~~~~~~~~~~~~~~~~~
/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/main/oops_handler.cc:62:75: error: 'ioctl_data' was not declared in this scope
   62 |         if (DAQ_SUCCESS == daq_instance->ioctl(DIOCTL_GET_PRIV_DATA_LEN, &ioctl_data, sizeof(ioctl_data)))
      |                                                                           ^~~~~~~~~~
/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/main/oops_handler.cc: In member function 'void OopsHandler::eternalize(int)':
/home/efahlgren/openwrt/openwrt/build_dir/target-x86_64_musl/snort3-3.1.81.0/src/main/oops_handler.cc:97:27: error: 'daq_msg_get_priv_data' was not declared in this scope; did you mean 'daq_msg_get_data'?
   97 |         memcpy(priv_data, daq_msg_get_priv_data(msg), std::min<size_t>(priv_data_len, sizeof(priv_data)));
      |                           ^~~~~~~~~~~~~~~~~~~~~
      |                           daq_msg_get_data
ninja: build stopped: subcommand failed.

I'll carry on over on the -devel list, and stop posting on this thread, at least until something is resolved (no sense in posting everything twice).

Belay that, discussion will be continued at https://github.com/openwrt/packages/issues/23861

Snort3 has just appeared in the 23.05.3 release branch (at least for x86/64):

https://downloads.openwrt.org/releases/packages-23.05/x86_64/packages/snort3_3.1.82.0-1_x86_64.ipk

(@kimboslice, you should probably mark this thread as "solved".)

Thanks for opening that issue and getting this resolved!

Don't know if I'm jumping onto correct thread, but I have installed snort3 today with opkg and tried to follow wiki, but snort-rules and snort-mgr utilities seem to not be present:

# snort-rules
-ash: snort-rules: not found
# snort-mgr
-ash: snort-mgr: not found

Correct, they are only present in snapshot, and don't appear in 23.05 or earlier.

All of the new stuff is just scripts (sh and ucode), so probably works on 23.05... Look in https://github.com/openwrt/packages/tree/master/net/snort3 (the Makefile can tell you how its layed out, and files/ contains the scripts and supporting files).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.