Snort mailing list archives
Re: dump dynamic rules problem.
From: Husnu Demir <hdemir () metu edu tr>
Date: Wed, 23 Dec 2009 17:27:31 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks. I am prety sure I tried that but could not manage. Perhaps I tried that without "=" sign. Perhaps you should add "=" sign to the --help option :) Best regards. hdemir. Matt Watchinski wrote:
Maybe you truncated the following line in your previous email, but /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp Snort doesn't know where the dynamic rules are if you don't give it a -c for the snort.conf snort -c snort.conf --dump-dynamic-rules=/tmp Cheers, -matt 2009/12/23 Husnu Demir <hdemir () metu edu tr <mailto:hdemir () metu edu tr>> /usr/local/snort-2.8.5.1/bin/snort -l /var/log/snort/ -c /usr/local/snort-2.8.5.1/etc/snort.conf -i eth0 hdemir. PS: I gave the last output to show that it is working with the so_rules but did not dump the so_rules. Steven Sturges wrote:What other command line arguments are you passing to snort?When Snort prints out the version information and related for each of the various objects loaded, it is operating in its normal run mode.Husnu Demir wrote:Yes I tried that option also, but no luck. There is no rulesfiles in /tmp/ dir.I used the *.rules files in so_rules directory and run the snort;It gave me thefollowing result; .. .. --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.5.1 (Build 114) '''' By Martin Roesch & The Snort Team:http://www.snort.org/snort/snort-teamCopyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 7.6 2008-01-28 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.11<Build 17>Rules Object: netbios Version 1.0 <Build 1> Rules Object: imap Version 1.0 <Build 1> Rules Object: web-client Version 1.0 <Build 1> Rules Object: nntp Version 1.0 <Build 1> Rules Object: dos Version 1.0 <Build 1> Rules Object: smtp Version 1.0 <Build 1> Rules Object: web-misc Version 1.0 <Build 1> Rules Object: sql Version 1.0 <Build 1> Rules Object: multimedia Version 1.0 <Build 1> Rules Object: misc Version 1.0 <Build 1> Rules Object: p2p Version 1.0 <Build 1> Rules Object: web-activex Version 1.0 <Build 1> Rules Object: chat Version 1.0 <Build 1> Rules Object: exploit Version 1.0 <Build 1> Rules Object: bad-traffic Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 2> Preprocessor Object: SF_SSH Version 1.1 <Build 2> Preprocessor Object: SF_SSLPP Version 1.1 <Build 3> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 12> Preprocessor Object: SF_SMTP Version 1.1 <Build 8> Preprocessor Object: SF_DNS Version 1.1 <Build 3> Preprocessor Object: SF_Dynamic_Example_PreprocessorVersion 1.0<Build 1> Preprocessor Object: SF_DCERPC Version 1.1 <Build 5> So it is working. BUt I could not dump the files. And there is noerror.Thanks. hdemir. Steven Sturges wrote:Pretty sure you need an = between the option and the path, ie. /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/ Husnu Demir wrote:Hi People, /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/command is notworking properly. /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ Running in Rule Dump mode --== Initializing Snort ==-- Initializing Output Plugins! Snort BPF option: /tmp ERROR: snort.c(5049) Please specify the directory path fordumping the dynamic rulesFatal Error, Quitting.. When I try /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp Running in Rule Dump mode --== Initializing Snort ==-- Initializing Output Plugins! Dumping dynamic rules... Finished dumping dynamic rules. Snort exiting ls /tmp total 0 My snort config .. snips.. .. dynamicdetection directory/usr/local/snort-2.8.5.1/lib/snort_dynamicrules/.. uname -a Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009x86_64 GNU/LinuxAlso I used precompiled Ubuntu 8.04 rules.so. Thanks. hdemir. I used------------------------------------------------------------------------------------------------------------------------------------------------------This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distributionfast and easyJoin now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev------------------------------------------------------------------------_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>https://lists.sourceforge.net/lists/listinfo/snort-devel
- ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net <mailto:Snort-devel () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-devel
-- Matthew Watchinski Sr. Director Vulnerability Research Team (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksyNt0ACgkQHgR50XBBy+lpSgCfRb+HKbwbL0jHg/QjI1mF7h2S q5gAn264sQwwhnPcdhbimM8qjMAqu41x =fYPu -----END PGP SIGNATURE-----
Attachment:
hdemir.vcf
Description:
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- dump dynamic rules problem. Husnu Demir (Dec 22)
- Re: dump dynamic rules problem. Steven Sturges (Dec 22)
- Re: dump dynamic rules problem. Husnu Demir (Dec 23)
- Re: dump dynamic rules problem. Steven Sturges (Dec 23)
- Re: dump dynamic rules problem. Husnu Demir (Dec 23)
- Re: dump dynamic rules problem. Matt Watchinski (Dec 23)
- Re: dump dynamic rules problem. Husnu Demir (Dec 23)
- Re: dump dynamic rules problem. Husnu Demir (Dec 23)
- Re: dump dynamic rules problem. Steven Sturges (Dec 22)