# snortsam for snort-2.8.4.1 [SOLVED]

## hanj

Hello

I see that snort-2.8.4.1 is officially out. Also, that it no longer has the snortsam USE flag. I saw a patch and ebuild for snort-2.8.3 to use snortsam in bugs

https://bugs.gentoo.org/245752

I modified the patch to be applied to 2.8.4.1 and updated the 2.8.4.1 ebuild to use the patch, but I get the following errors during the compile:

```
Making install in output-plugins

make[2]: Entering directory `/var/tmp/portage/net-analyzer/snort-2.8.4.1/work/snort-2.8.4.1/src/output-plugins'

i686-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/portscan -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I../../src/target-based  -I/usr/include/mysql -DENABLE_MYSQL -fno-strict-aliasing  -march=pentium4 -O3 -funroll-loops -fprefetch-loop-arrays -pipe -Wall -DDYNAMIC_PLUGIN -fno-strict-aliasing -c spo_alert_fwsam.c

In file included from spo_alert_fwsam.c:109:

spo_alert_fwsam.h:36:19: error: fatal.h: No such file or directory

spo_alert_fwsam.c: In function 'AlertFWsamSetup':

spo_alert_fwsam.c:144: error: too few arguments to function 'RegisterPlugin'

make[2]: *** [spo_alert_fwsam.o] Error 1

make[2]: Leaving directory `/var/tmp/portage/net-analyzer/snort-2.8.4.1/work/snort-2.8.4.1/src/output-plugins'

make[1]: *** [install-recursive] Error 1

make[1]: Leaving directory `/var/tmp/portage/net-analyzer/snort-2.8.4.1/work/snort-2.8.4.1/src'

make: *** [install-recursive] Error 1
```

I would like to upgrade snort, but I need to have snortsam functionality. Anyone else out there trying to get this to work?

Thanks!

hanji

----------

## hanj

* bump *

----------

## hanj

Seriously? No one is using snortsam with snort these days?

----------

## krisse

Helping to *bump*.  :Razz: 

----------

## hanj

bump. Looks like rules for 2.6 are no longer.. this is starting to be a priority. Anyone?

----------

## slyguy2000

I have one working with snort-2.8.4.1!    :Laughing: 

you can download the diff from here: {REMOVED}

Please see the official Snortsam site for the latest .diff file, as they have it listed there now.

----------

## slyguy2000

 *hanj wrote:*   

> Hello
> 
> I see that snort-2.8.4.1 is officially out. Also, that it no longer has the snortsam USE flag. I saw a patch and ebuild for snort-2.8.3 to use snortsam in bugs
> 
> https://bugs.gentoo.org/245752
> ...

 

You were really close... I don't know what you had in your code, but besides line numbers needing to be tweaked, you need to add fatal.h to your src folder (I copied it from 2.8.3) and after that you have gotten an error about not enough arguments for RegisterPlugin on the AlertFWsamOption... you would need to add a NULL argument to the line to make it like this: 

```
RegisterPlugin("fwsam", AlertFWsamOptionInit, NULL, OPT_TYPE_ACTION);
```

the diff that I made, will build the fatal.h for you, so no need to copy it from the previous version.

g'luk on getting yours up and running... Please keep us posted if you have any other problems.

----------

## hanj

 *slyguy2000 wrote:*   

> I have one working with snort-2.8.4.1!   
> 
> you can download the diff from here: LINK

 

Hello slyguy2000

Thanks much for that. I was able to get snort built with snortsam patch!!! Much appreciated.

Thanks!

hanji

----------

## nOw2

Thanks for the mention that snort no longer has the snortsam use flag. Creating a patched archive then removing the checksum test allow the ebuild to install as it used to work, and so has got my firewall back up and running.

It seems that every time I emerge something on Gentoo something major has changed. I'm really losing the faith.

----------

## Hu

 *nOw2 wrote:*   

> It seems that every time I emerge something on Gentoo something major has changed. I'm really losing the faith.

 

Gentoo is a moving target, and generally tracks upstream.  If you use packages that have upstream maintainers that like to make major changes on a regular basis, then yes, you will experience major changes every time you upgrade.  Your options are: complain to upstream that they need to stop making such major changes, switch to a distribution like Red Hat or SuSE that believes in backporting bug fixes rather than going to new versions, or find/hire someone to help you with the backports so that you can avoid going to new versions.

----------

## hanj

 *Hu wrote:*   

>  *nOw2 wrote:*   It seems that every time I emerge something on Gentoo something major has changed. I'm really losing the faith. 
> 
> Gentoo is a moving target, and generally tracks upstream.  If you use packages that have upstream maintainers that like to make major changes on a regular basis, then yes, you will experience major changes every time you upgrade.  Your options are: complain to upstream that they need to stop making such major changes, switch to a distribution like Red Hat or SuSE that believes in backporting bug fixes rather than going to new versions, or find/hire someone to help you with the backports so that you can avoid going to new versions.

 

Hu, that was well said! Gentoo can be a pain at times, but the benefits so out way the irritations for me. I can't imagine working with anything else.

hanji

----------

