Snort mailing list archives
Rules updates and compile-time options
From: Ben Sansnom <bensansnom () gmail com>
Date: Fri, 13 Jan 2012 15:43:36 -0700
Hi All I have inherited a Snort system that is configured in a way quite foreign from what I've previously managed. It runs 2.9.1, with Oinkmaster updating all on top of a Windows 2003 server (I'm stuck with the Oinkmaster and windows for the time being. This is the first time I've seen a windows Snort config). I'm trying to untangle why the rules updating is erratic. RULE_PATH = x:\snort\rules. Oinkmaster successfully retrieves the file, and writes and uncompresses correctly in the TMP directory. However, within the /rules directory, only a handful of rules are actually landing in there and the rest are never updated. The first line of all of the handful of updated files contain the string "# Autogenerated skeleton rules file. Do NOT edit by hand". Those rule files plus many others in the rule directory contain significantly few signatures compared to what I see when manually using the oinkcode to fetch the VRT tarball. However, a number of the rules (that are not updating) do begin with the typical: "# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved # # This file may contain proprietary rules that were created, tested and # certified by Sourcefire, Inc. (the "VRT Certified Rules") etc" The updating has succeeded on these handful of files in timeframes ranging from a couple of days to a couple of weeks. But each time it does work, it always generates a file with the "#Autogenerated" string. To me, it looks like the system is configured for shared-objects. However, nothing in the snort.conf references that (all the dynamic library rules are commented out) and there is no so_rules directory on the server at all. Is the assumption that shared-objects are in play correct? Is the "#Autogenerated" string an indication that shared objects are in use? If that assumption is correct, how can I confirm that snort was compiled to use SO? Is something else going on here? I'm happy to manually copy in all the rules files and simply restart the service, but I want to understand what is going on. Thanks, Ben
------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rules updates and compile-time options Ben Sansnom (Jan 15)
- Re: Rules updates and compile-time options Joel Esler (Jan 29)