Re: Snort not loading dynamic rules?

[Joel Esler <jesler () sourcefire com>]

My Snort says "0 Dynamic Rules" as well, but I know it's loading them, since I am getting alerts from them.

Try commenting them out in the snort.conf and look at this number:

> 6154 Snort rules read

Then turn them back on and look at the number again.

J

On Feb 10, 2010, at 3:46 PM, Andy Berryman wrote:

> I thought I read somewhere that when it says it loaded 0 dynamic rules that it really didn't mean anything. I'm just 
> trying to double check myself to make sure it wasn't a dream.
>  
> When I start snort and tail syslog I get this
>  
> 0998]: Initializing rule chains...
> Feb 10 19:11:49 (none) snort[20998]: 6154 Snort rules read
> Feb 10 19:11:49 (none) snort[20998]:     5912 detection rules
> Feb 10 19:11:49 (none) snort[20998]:     65 decoder rules
> Feb 10 19:11:49 (none) snort[20998]:     177 preprocessor rules
> Feb 10 19:11:49 (none) snort[20998]: 6154 Option Chains linked into 624 Chain Headers
> Feb 10 19:11:49 (none) snort[20998]: 0 Dynamic rules
>  
>  
> I have my so.rules in my snort.conf
>  
> dynamicdetection directory /snort_lib/snort_dynamicrules
> dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor
> dynamicengine directory /snort_lib/snort_dynamicengine
>  
> var RULE_PATH /snort/conf
>  
>  
> include $RULE_PATH/so.rules
> include $RULE_PATH/preprocessor.rules
> include $RULE_PATH/decoder.rules
>  
> I dump all the dynamic rules from snort_dynamicrules to the so_rules then I go into each of the directories it 
> creates and copy the rules to a single so.rules file. 
> I do this so I have a somewhat clean snort.conf file
>  
> Is it a problem that I have all the so_rules in a single so.rules file?
>  
> Or do they need to be like this:
> include $SORULE_PATH/bad-traffic.rules
> include $SORULE_PATH/chat.rules
> include $SORULE_PATH/dos.rules
> include $SORULE_PATH/exploit.rules
> include $SORULE_PATH/imap.rules
> include $SORULE_PATH/misc.rules
> include $SORULE_PATH/multimedia.rules
> include $SORULE_PATH/netbios.rules
> include $SORULE_PATH/nntp.rules
> include $SORULE_PATH/p2p.rules
> include $SORULE_PATH/smtp.rules
> include $SORULE_PATH/sql.rules
> include $SORULE_PATH/web-client.rules
> include $SORULE_PATH/web-misc.rules
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> Thanks,
> Andy Berryman
>  
> This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the 
> recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the 
> intended recipient, you are hereby notified that you have received this message in error and that any review, 
> disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received 
> this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 
> or by return e-mail.
>  
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
302-223-5974





------------------------------------------------------------------------------
SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
http://p.sf.net/sfu/solaris-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users