Building Snort 2.8.0 on MAC OSX 10.5 (Leopard)

snort-devel [Snort-devel] Building Snort 2.8.0 on MAC OSX 10.5 (Leopard)
From: Steven Sturges <steve.sturges@sourcefire.com>

For those who use Snort on a MAC, this might be helpful…

The following is courtesy of Martin Fong, who’s helped us track down
an issue seen when starting Snort w/ dynamic preprocessor libraries
on MAC OSX 10.5. The text below will be included with in the
MAC OSX section of doc/INSTALL in the next release as well.

——
For users of Max OSX 10.5 (Leopard), the following environment variables
must be set before running configure & make.

Reference information for MAC OSX 10.5 (Leopard) can be found at these
two links.

http://developer.apple.com/releasenotes/Darwin/SymbolVariantsRelNotes
http://lists.apple.com/archives/xcode-users/2007/Jun/msg00163.html

$ export LD_TWOLEVEL_NAMESPACE=1
$ export MACOSX_DEPLOYMENT_TARGET=10.5
$ ./configure
$ make
——

Also, with Snort 2.8.0, the dynamicengine line in the default
snort.conf must be updated to load libsf_engine.dylib, instead of
libsf_engine.so. The following line:

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

Should be changed to:

dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.dylib

Happy (MAC) Snorting. 🙂

Cheers.
-steve

Update:

If you run into a Bus error:

* MAC OSX
———
On Darwin (maybe others), the configure script shipped as part of the
source distribution needs to be recreated. To do this, run the
following commands:

aclocal -I m4
autoheader
automake –add-missing –copy
autoconf

If you plan to use the dynamic plugin capability (ie,
configure –enable-dynamicplugin), snort needs to be linked using
the two level namespace. To do this, set the LD_TWOLEVEL_NAMESPACE
environment variable to something prior to running configure.
An example:

$ export LD_TWOLEVEL_NAMESPACE=1
$ export MACOSX_DEPLOYMENT_TARGET=10.5
$ configure –enable-dynamicplugin

2 comments

  1. DATE: 11/14/2010

    I have tried installing snort on Mac OS X 10.6.5 via:

    Updating all my ports:
    sudo port selfupdate
    sudo port upgrade outdated

    Installing snort via MacPorts which seems to also be called Darwin (why two names I don’t know)
    sudo port install snort

    The version installed (via snort -V) is snort 2.6.1.5 … but the latest is snort 2.9.0.1

    And the latest rules (snortrules-snapshot-2900) is not compatible,

    So then I tried installing RPM via Mac Ports and trying to install the RPM version but when I attempted rpm -ivh snort-1.8.6-1snort.i386.rpm it immediately failed saying “segmentation fault.”

    So then I tried getting the source and typing ./configure and it says…

    ERROR! dnet header not found, go get it from
    http://code.google.com/p/libdnet/ or use the –with-dnet-*
    options, if you have it installed in an unusual place

    So I tried installing this via the DMG but it complained that it needed Python 2.5.

    So I installed the latest Python 2 series, which is 2.7 and it still complained that it needed 2.5.

    So then I installed the Python 2.5 universal binary DMG and it installed…

    But I still this message when attempting to configure:

    ERROR! dnet header not found, go get it from
    http://code.google.com/p/libdnet/ or use the –with-dnet-*
    options, if you have it installed in an unusual place

    So bottom line is:

    I can’t make snort work on the mac with updated signatures.

    If you happen to have the answer it it would be much appreciated, and if you have an amazon wish list or a way to donate to any missions that are important for you personally, please be in touch with your info. Thanks!

    • Hi Shawn,
      Sorry for the long delay… I don’t get too many comments that require a response so I don’t check that often.

      I see the issue you are dealing with and I can understand the frustration. This is typical with some of the more active and popular open source software and the Mac. Especially when using a package manager like MacPorts and Fink. Mac users can count on being the last to get updates to FLOSS software and usually we have to hack our way into running the latest stuff.

      I would not go down the RPM route as you were trying to do. I would instead compile Snort from source. Believe it or not I have found the IBM developers site a great resource for learning how to setup and configure open source stuff. Some of it may be a little dated but the methods still apply and I think may get you where you would like to go with a Snort install on Mac 10.6. I haven’t tried this yet but will at some point and will post my findings.
      Installing Snort from source code

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s