PSARC 2014/346 Data Acquisition library (DAQ) 2.0.2
PSARC 2014/347 snort 2.9.6.2
16915792 The default state of the snort.conf file should be reexamined.
16915848 snort should put files under /etc/snort not directly under /etc
19557337 ipfw DAQ module shouldn't be enabled on Solaris
19696371 Update daq to version 2.0.2
19696436 Update snort to version 2.9.6.2
Provide the directory where snort will initially look for DAQ modules.
This patch has not been sent upstream, because the Solaris integration
of libdaq is different from the way that Linux systems do this.
On Linux systems, DAQ installs two static libraries:
/usr/lib/libdaq_static.a
/usr/lib/libdaq_static_modules.a
When snort is being configured, you see:
...
checking for daq_load_modules in -ldaq_static... yes
...
and at link time we see "-ldaq_static ... -ldaq_static_modules ...".
This means that when you start snort running, it knows where to
look for a set of DAQ modules that it loads. This is done with
with a call to the DAQ routine daq_load_modules().
On Solaris, we do not provide those two static libraries (or their 64-bit
equivalents). Therefore, by default, a call to daq_load_modules() using
the dynamic libraries doesn't know where to look for any DAQ modules.
Now you can override this by starting snort with:
$ sudo /usr/bin/snort --daq-dir /usr/lib/64/daq
or
$ sudo /usr/bin/snort -c /etc/snort.conf
or something similar, but that doesn't allow:
$ sudo /usr/bin/snort
to work, right out of the box, which is what snort users would expect.
To resolve this, at snort initialization time on Solaris, the code has
been adjusted to specify a single default DAQ module directory:
/usr/lib/64/daq
--- src/snort.c.orig 2014-09-25 07:53:43.356728058 -0700
+++ src/snort.c 2014-09-25 07:55:05.650780347 -0700
@@ -4039,6 +4039,9 @@
{
SnortConfig *sc = (SnortConfig *)SnortAlloc(sizeof(SnortConfig));
+ /* Define where to look for DAQ modules. */
+ ConfigDaqDir(sc, "/usr/lib/64/daq");
+
sc->pkt_cnt = 0;
#ifdef REG_TEST
sc->pkt_skip = 0;