Re: Unable to create stub so rules files

["C. L. Martinez" <carlopmart () gmail com>]

On Tue, Nov 27, 2012 at 3:01 PM, Peter Bates <peter.bates () ucl ac uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello all
>
> On 27/11/2012 14:47, C. L. Martinez wrote:
> > Nop, every time pp runs, creates an empty so_rules.rules file with the
> > same error described above ...
>
> The same error will appear because PP tries to validate your Snort
> configuration file and also looks for certain settings in there
> (such as dynamicengine/dynamicdetection directory)
>
> If you comment out your rule include lines, does
>
> snort -i ethX -c /location/of/snort.conf -T
>
> run to completion?

Yes, validates until end:
Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/data/config/etc/idpsnort01/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414
1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777
7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180:8181 8243 8280
8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 50002
55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593
901 1220 1414 1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001
7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123
8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443
9999 11371 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Found profile_preprocs config directive (print 20, sort avg_ticks,
filename /tmp/idpsnort01_preprocs_20-avg_stats.log append)
Found profile_rules config directive (print 25, sort total_ticks,
filename /tmp/idpsnort01_rules_25-total_stats.log append)
Tagged Packet Limit: 256
Loading dynamic engine
/opt/snort/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic preprocessor libs from
/opt/snort/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
done
  Finished Loading all dynamic preprocessor libs from
/opt/snort/lib/snort_dynamicpreprocessor/
Log directory = /nsm/sensor_data/idpsnort01
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Bound Address: default
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment Anomalies: Alert
...............................................

252 out of 1024 flowbits in use.

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 214
|     1 byte states : 199
|     2 byte states : 15
|     4 byte states : 0
| Characters        : 92644
| States            : 57697
| Transitions       : 4223962
| State Density     : 28.6%
| Patterns          : 6574
| Match States      : 6039
| Memory (MB)       : 30.00
|   Patterns        : 0.68
|   Match Lists     : 1.30
|   DFA
|     1 byte states : 1.23
|     2 byte states : 26.41
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 1099 ]

Packet Performance Monitor Config:
  ticks per usec  : 2411 ticks
  max packet time : 10000 usecs
  packet action   : fastpath-expensive-packets
  packet logging  : log
  debug-pkts      : disabled
pcap DAQ configured to passive.
Acquiring network traffic from "em5".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40) FreeBSD
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.16  <Build 18>
           Preprocessor Object: SF_DNP3 (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_POP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build 13>

Snort successfully validated the configuration!
Snort exiting

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!