Snort mailing list archives

Re: [Snort-sigs] VRT SO Rules for FreeBSD/amd64

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Mon, 7 Feb 2011 14:22:01 -0500

On Mon, 7 Feb 2011 14:00:35 -0500, Michael Scheidell wrote:

this is why its so confusing.  and, I don't think this really works.  
I have tried, several times over the years, and gave up long ago on 
so_rules.

on the web site, it says: (is this wrong?)

Using VRT Certified Shared Object Rules
In order to instantiate shared object rules, a rule stub file is 
required. These stub files are not distributed in the VRT Certified 
rule packs, however they can be generated using snort.

Here is an example showing the pertinent configuration options in 
snort.conf along with the command line option required to generate 
the stub files. In some installations, the files may well reside in 
/etc/, this example uses /usr/local/etc as the location for the 
configuration files.
In snort.conf First set up some global variables:
var CONF_PATH /usr/local/etc/snort
var LIB_PATH /usr/local/lib
var SORULE_PATH $CONF_PATH/so_rules

Dynamic preprocessor and dynamic engine information:
dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor
dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so

Here is the configuration option that lists the location of the 
shared object files that snort is to use:

dynamicdetection directory $LIB_PATH/snort_dynamicrule

Dumping the rules
To dump the rule stub files into the required location the 
--dump-dynamic-rules option is used like so:
snort -c /usr/local/etc/snort/snort.conf 
--dump-dynamic-rules=/usr/local/etc/snort/so_rules

This command tells snort to use the snort.conf file where it will 
find the dynamic rule files (thanks to the configuration options 
above) and then use those files to generate the stub files and put 
them into /usr/local/etc/snort/so_rules/
After this is complete, the rule files appear in the directory.
# ls /usr/local/etc/snort/so_rules/
bad-traffic.rules  imap.rules        nntp.rules  web-client.rules
chat.rules         misc.rules        p2p.rules   web-misc.rules
dos.rules          multimedia.rules  smtp.rules
exploit.rules      netbios.rules     sql.rules



I do that, and this happens:

scanner2.secnap.com# snort -c /usr/local/etc/snort/snort.conf 
--dump-dynamic-rules=/usr/local/etc/snort/so_rules
Running in Rule Dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort/snort.conf"

[snip]
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp 
normalizations disabled because not inlineWARNING: icmp4 
normalizations disabled because not inlineFrag3 global config:
[snip]

Dumping dynamic rules...
  Finished dumping dynamic rules.
Snort exiting

scanner2.secnap.com# pwd
/usr/local/etc/snort

cd /usr/local/etc/snort/so_rules

scanner2.secnap.com# ls

cd /usr/local/etc/snort/so_rules
/usr/local/etc/snort/so_rules: No such file or directory.
scanner2.secnap.com# mkdir /usr/local/etc/snort/so_rules
scanner2.secnap.com# snort -c /usr/local/etc/snort/snort.conf 
--dump-dynamic-rules=/usr/local/etc/snort/so_rules
Running in Rule Dump mode

still nothing there.


We'll take a look at the --dump-dynamic-rules option.

The website text is out of date though, as part of the shared object 
rule build process, the rule stubs are generated and shipped with the 
tar balls. Have been for some time, it prevents the problems some folks 
were having when trying to dump so rule stubs or forgetting to do so.

That said, the option above should work.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

------------------------------------------------------------------------------
The modern datacenter depends on network connectivity to access resources
and provide services. The best practices for maximizing a physical server's
connectivity to a physical network are well understood - see how these
rules translate into the virtual world? 
http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

VRT SO Rules for FreeBSD/amd64 Ryan Steinmetz (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Nigel Houghton (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Michael Scheidell (Feb 07)
  - Re: VRT SO Rules for FreeBSD/amd64 matan monitz (Feb 07)
    - Re: VRT SO Rules for FreeBSD/amd64 Robert Z (Feb 07)
    - Re: VRT SO Rules for FreeBSD/amd64 Michael Scheidell (Feb 07)
    - Re: VRT SO Rules for FreeBSD/amd64 Robert Z (Feb 07)
    - Re: VRT SO Rules for FreeBSD/amd64 Nigel Houghton (Feb 07)
    - Re: VRT SO Rules for FreeBSD/amd64 Randal T. Rioux (Feb 07)
  - Message not available
    - Message not available
    - Message not available
    - Re: [Snort-sigs] VRT SO Rules for FreeBSD/amd64 Michael Scheidell (Feb 07)
    - Re: [Snort-sigs] VRT SO Rules for FreeBSD/amd64 Nigel Houghton (Feb 07)
    - Re: [Snort-sigs] VRT SO Rules for FreeBSD/amd64 Michael Scheidell (Feb 07)