I still haven’t had any luck getting the geoip support compiling under ossec.
The compile process is hanging up on the log.c file.
“ossec-hids-2.7-beta-2/src/analysisd/alerts/log.c”
I really don’t work with c programming (more of a systems engineer guy) but I
do see log.c expecting geoip header files.
How would ossec find the geoip header files unless it were told where to get
them? It’s been a LONG time since my C programming college class so forgive me
if I am asking a stupid question.
I tried forcing the compile to look at /usr/local/lib by adding it to the
Config.Make file, but it didn’t seem to fix anything.
CFLAGS = -g -Wall -I${PT} -I${PT}headers ${CPATH} ${CEXTRA} ${DEXTRA} ${EEXTRA}
${FEXTRA} ${GEXTRA} ${HEXTRA} ${CGEOIP} -I/usr/local/lib/*.a
-DARGV0=\"${NAME}\" -DXML_VAR=\"var\" -DOSSECHIDS
What’s interesting is if I copy the geoip header files to the ossec headers
folder and run a make in the alerts folder I get a different sort of error,
again I am not a programmer so I don’t truly understand if it means anything?
root@slas:/root/ossec-hids-2.7-beta-2/src/analysisd/alerts# make
gcc -I../ -g -Wall -I../../ -I../../headers -DGEOIP -lGeoIP
-I/usr/local/lib/*.a -DARGV0=\"alerts\" -DXML_VAR=\"var\" -DOSSECHIDS -c mail.c
log.c exec.c getloglocation.c
log.c: In function âGeoIPLookupâ:
log.c:96:3: warning: function returns address of local variable [enabled by
default]
Any ideas out there? Anyone else working with ossec beta + geoip + Ubuntu out
there??
James Whittington
From: [email protected] [mailto:[email protected]] On
Behalf Of Jb Cheng
Sent: Monday, October 29, 2012 7:30 PM
To: [email protected]
Subject: [ossec-list] Re: Having Issues Getting geoip working on beta 2
Your compilation flag is correct: -DGEOIP -lGeoIP
Your ligGeoIP.a file under /usr/local/lib looks right.
You are on the right track, but I am not sure why your linker did not look
under /usr/local/lib/ for the lib file.
On Thursday, October 25, 2012 2:56:55 PM UTC-7, James Whittington wrote:
I am trying to install beta 2.7 on Ubuntu 12.04 (stable compiled fine on it)
following the install notes for geoip support.
I pulled down the geoip source referenced in the install notes and compiled
it successfully.
In the ossec src folder I did the “make setgeoip” command.
When I run the ossec install script I got these errors..
gcc -g -Wall -I../ -I../headers -DDEFAULTDIR=\"/var/ossec\" -DGEOIP
-lGeoIP -DARGV0=\"ossec-analysisd\" -DXML_VAR=\"var\" -DOSSECHIDS -I./
analysisd.c stats.c lists.c lists_list.c rules.c rules_list.c config.c fts.c
dodiff.c eventinfo.c eventinfo_list.c cleanevent.c active-response.c
picviz.c prelude.c compiled_rules/*.o ../config/lib_config.a
decoders/decoders.a cdb/cdb.a cdb/cdb_make.a alerts/alerts.a
../os_xml/os_xml.a ../os_regex/os_regex.a ../os_net/os_net.a
../shared/lib_shared.a ../os_zlib/os_zlib.c ../external/libz.a -o
ossec-analysisd
alerts/alerts.a(log.o): In function `GeoIPLookup':
/root/ossec-hids-2.7-beta-2/src/analysisd/alerts/log.c:66: undefined
reference to `GeoIP_open'
/root/ossec-hids-2.7-beta-2/src/analysisd/alerts/log.c:71: undefined
reference to `GeoIP_record_by_name_v6'
/root/ossec-hids-2.7-beta-2/src/analysisd/alerts/log.c:82: undefined
reference to `GeoIP_open'
/root/ossec-hids-2.7-beta-2/src/analysisd/alerts/log.c:87: undefined
reference to `GeoIP_record_by_name'
/root/ossec-hids-2.7-beta-2/src/analysisd/alerts/log.c:90: undefined
reference to `GeoIP_region_name_by_code'
/root/ossec-hids-2.7-beta-2/src/analysisd/alerts/log.c:95: undefined
reference to `GeoIP_delete'
/root/ossec-hids-2.7-beta-2/src/analysisd/alerts/log.c:98: undefined
reference to `GeoIP_delete'
Looks like the geoip put itself in the “/usr/local/lib” folder so my wild
guess is maybe I need to include that folder at compile time?
root@slas:/root/ossec-hids-2.7-beta-2# ls -la /usr/local/lib/
total 2396
drwxr-xr-x 3 root root 4096 Oct 22 13:14 .
drwxr-xr-x 10 root root 4096 Aug 22 01:30 ..
-rw-r--r-- 1 root root 1471990 Oct 22 13:14 libGeoIP.a
-rwxr-xr-x 1 root root 950 Oct 22 13:14 libGeoIP.la
lrwxrwxrwx 1 root root 17 Oct 22 13:14 libGeoIP.so ->
libGeoIP.so.1.4.8
lrwxrwxrwx 1 root root 17 Oct 22 13:14 libGeoIP.so.1 ->
libGeoIP.so.1.4.8
-rwxr-xr-x 1 root root 788239 Oct 22 13:14 libGeoIP.so.1.4.8
-rw-r--r-- 1 root root 91036 Oct 22 13:14 libGeoIPUpdate.a
-rwxr-xr-x 1 root root 1023 Oct 22 13:14 libGeoIPUpdate.la
lrwxrwxrwx 1 root root 23 Oct 22 13:14 libGeoIPUpdate.so ->
libGeoIPUpdate.so.0.0.0
lrwxrwxrwx 1 root root 23 Oct 22 13:14 libGeoIPUpdate.so.0 ->
libGeoIPUpdate.so.0.0.0
-rwxr-xr-x 1 root root 71255 Oct 22 13:14 libGeoIPUpdate.so.0.0.0
Has anyone else had or worked around these issues ? I would really like to
get the geoip stuff working..
Thanks..
James Whittington
