Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ERROR: dynamic detection lib is compiled with an older version of the dynamic engine

From: waldo kitty <wkitty42 () windstream net>
Date: Sun, 18 Aug 2013 17:43:38 -0400
On 8/18/2013 17:06, Mike H wrote:

Ok--I removed the older version of snort using 'apt-get remove snort'.

 > with that said, you can use the older 2.9.5.2 rules snapshot... but as you are
 > seeing right now, you may not be able to use the compiled SO rules... as noted
 > previously, the textual rules are another matter and any snort can run them,
 > generally speaking... some options and features may need to be edited in them
 > but for the most part they are operable...

2950 are the latest posted--got those running (minus the SO rules, of course ;))


ok... i haven't checked to see what the actually available rules are ;)


 > when snort starts up it outputs a lot of data about its configuration... when in
 > daemon mode, this information is sent to syslog... on my ubuntu, this
 > information is found written to both /var/log/syslog and /var/log/daemon.log
 > files...

When I start snort, I get this:
[quote]
/+++++++++++++++++++++++++++++++++++++++++++++++++++/
/Initializing rule chains.../
/4065 Snort rules read/
/4065 detection rules/
/0 decoder rules/
/0 preprocessor rules/
/4065 Option Chains linked into 202 Chain Headers/
/0 Dynamic rules/
/+++++++++++++++++++++++++++++++++++++++++++++++++++/
[/quote]


that looks "good"...


Is it "normal" to have no decoder or preprocessor rules? I do have a
preprocessor.rules file (with rules) in '/usr/local/snort/preproc_rules', which
is pointed to by the $PREPROC_RULE_PATH variable in my snort.conf.


well, having them available and them loading is one factor... the other is if 
they are actually enabled in your snort config file... we'd have to see that to 
be sure of much else...


 > so there you can see the number of rules loaded... if you want to test your
 > snort to be sure that it is actually seeing traffic, then you can start it in
 > "packet" mode where it will spew what it sees across the screen rather like
 > tcpdump... just run snort with no command line options... CTRL-C to terminate
it...

Yep, getting packets!


excellent!


 > if you want to test that your snort is seeing traffic and will generate alerts,
 > let me know and i can post a rules file that will alert of most any/all
 > (standard) traffic... i've done this a couple of times in recent months and
 > there have been several threads where i've helped others with this... i'm fairly
 > sure that uncle google might even be able to point to them with appropriate
 > google-fu search terms... "local-test.rules snort-users" would be a good phrase
 > to start with, i think ;)

Found your test file (just googled site:seclists.org local-test.rules
snort-users). Loaded it and sure enough snort generated a bunch of alerts. So, I
guess I am up and running now.


yup! your snort is seeing traffic and it is snorting it up... that's how it 
should be... i'm guessing that you also disabled that local-test.rules set 
pretty quickly? i've seen it generate several thousand alerts in a very short 
time ;)


After doing some barnyard2 troubleshooting, the alerts are now showing up in
snort alert (though it is very slow). Now I just need to figure out how to clear
those test alerts out and I am going to try PulledPork, Base, Snorby, etc.
Thanks Waldo!


i don't run BY here so i'm not really all that up on it... if you peruse the 
past threads, though, you will find topics discussing removing the old test 
alerts...

i'm not sure about the speed of posting them to the database other than looking 
at basic database tuning operations... what is your database type? innodb or 
myisam? they each have their pluses and minuses... eg: innodb uses one large 
file for all the tables and needs more memory whereas myisam uses a lot of 
files, one per table, and doesn't have all the security stuff like transactions 
and rollbacks and such... myisam is faster than innodb but again, the tuning of 
the database config can help to alleviate a lot of that...

of course, another speed problem may be in where the database is located (eg: 
across the network or local on the same snorting machine) as well as if the 
machine(s) are multi-processor or multi-core and what CPU resources may be 
dedicated to the database function...


 > Date: Sun, 18 Aug 2013 13:35:58 -0400
 > From: wkitty42 () windstream net
 > To: snort-users () lists sourceforge net
 > Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled with an
older version of the dynamic engine
 >
 > On 8/18/2013 11:15, Mike H wrote:
 > > Thanks. Semi-long post, but the summary is that your email states that I
have to
 > > wait get 2953, which are not available to "Registered Users" yet (VRT only,
 > > http://www.snort.org/snort-rules/). So I am stuck waiting until that is posted
 > > to load rules?
 >
 > no... not to load rules, really... possibly just the SO rules... but they can be
 > compiled them locally... i did just that recently when i placed snort 2.9.5 into
 > service and used the 2.9.4.6 rules... the text rules should work just fine...
 > the SOes are another matter /because/ they are compiled...
 >
 > > Details and answers to your questions:
 > > > 1. where do you find these instructions?
 > > http://www.snort.org/assets/158/snortinstallguide293.pdf
 >
 > i'll have to take a look... i've never followed any snort installation
 > instructions written by anyone ;)
 >
 > > > 2. what version of snort are you running? snort -V
 > >
 > > * This yielded some interesting findings:
 > > o snort -V returned 2.9.2.2
 > > o But I installed 2.9.5.3?
 >
 > ewwwwoohhh... yeah, we've see that in here in the last few months... basically
 > it is because the system was set up with snort installed from a package
 > distributed by the *nix distribution maintainers... then the user or admin
 > decides that it needs to be updated but since there's no newer release package
 > available from the distribution maintainers, the only real option is to build
 > snort from the sources... the assumption is that building from the sources will
 > install to the same place and in the same layout as what was installed from the
 > package... this assumption has bitten many in the past and will continue to bite
 > more in the future...
 >
 > > o 'whereis snort' returned: snort: */usr/sbin/snort
 > > /etc/snort*/usr/lib/snort /usr/local/snort /usr/share/man/man8/snort.8.gz
 > > o But I installed snort in /usr/local/snort/bin; so, I run
 > > '/usr/local/snort/bin/snort -V' and sure enough version 2.9.5.3
 >
 > now you're on the trail of the lion ;)
 >
 > > o So I tried copying the Snort 2950 rules into my 'snort_dynamicrules/'
 > > directory, but a *smilar* error. Which is to be expected since I
 > > wouldn't think a newer version of Snort would use an older engine, but
 > > who knows.
 > > o It turns out that the newer version of snort is more verbose in the
 > > error message:
 > > + /Finished Loading all dynamic preprocessor libs from
 > > /usr/local/snort/lib/snort_dynamicpreprocessor//
 > > + /ERROR: The dynamic detection library
 > > "/usr/local/snort/lib/snort_dynamicrules/nntp.so" version 1.0
 > > compiled with dynamic engine library *version 2.0* isn't compatible
 > > with the current dynamic engine library
 > > "/usr/local/snort/lib/snort_dynamicengine/libsf_engine.so" *version
 > > 2.1*/
 > > * What is interesting here is even though the error says the rules are
 > > "version 1.0" it states they are compiled with a version 2.0 engine (not far
 > > from 2.1, which Snort 2.9.5.3. appears to be running).
 >
 > ahh yes... i wasn't sure about my previous pointing to 1.0 != 2.1 but it was
 > enough to make the point for clarification... yes, 2.0 != 2.1, too ;)
 >
 > > * I will have to figure out how to uninstall that older version of snort.
 >
 > it was probably installed by the package managers... try
 >
 > sudo apt-get remove snort
 >
 > or similar and see what happens... you may want a purge in there instead of
 > remove... purge will kill the tarball in your local repository, IIRC... check
 > the apt-get docs to be sure...
 >
 > > > 3. what specific linux are you running? is it really ubuntu 10.4?
 > > No, I am running Ubuntu 13.04. I used the 10.04 libraries per the instructions.
 > > I also tried the 12.04 precompiled rules with the same error. No other
 > > precompiled Ubuntu rules are distributed.
 >
 > ahhh...
 >
 > > > they have to be the ones for your version of snort... for example, you
can't use
 > > > the 2.9.5.3 rules with 2.9.5.0... especially the SO rules and even more
 > > > especially if the SO engine(s) have changed...
 > > I find this statement particularly interesting. I understand SOs, so not really
 > > that part. But more the process of maintaining rules sets (compiled to SO
 > > libraries) separately for every version of snort. 2953 rules are currently only
 > > available to VRT (rather than Registered Users,
 > > http://www.snort.org/snort-rules/). Not sure why that is, but I am interpreting
 > > it to mean they won't be availble to registered users for ~30 days. That means
 > > that a new user that just downloaded snort and wants rules only has 2 options:
 > >
 > > 1. Sign up and pay for VRT to get the latest rules
 > > 2. Wait ~30 days until the rules are available for their version
 >
 > right... those are the two options... the 30 wait time is from the release of
 > the new rule(s)... so if rule 1:45678 is released on Aug 1, registered users can
 > get it until Aug 30 or 31... this is a monetizing factor... the snort/VRT folks
 > are a commercial entity... they also sell IDS/IPS hardware... so one can be a
 > paying subscriber (known as "subscriber") or one can be a registered free user
 > (known as "registered") or one can be totally unregistered and non-paying and
 > use only the rules released for their version in a one time pull...
 >
 > > That doesn't seem right--guessing I am either misunderstanding or the
process is
 > > slightly broken? Alternatively, maybe Snort just hasn't compiled the older
 > > (i.e., register user) version of the latest rules for 2953 snort yet, but not
 > > sure why that would be.
 >
 > if you are just registered, then you have to wait the 30 days to pass from the
 > release of 2.9.5.3's rules... i don't know their exact date off the top of my
 > head but they should be available before much longer...
 >
 > with that said, you can use the older 2.9.5.2 rules snapshot... but as you are
 > seeing right now, you may not be able to use the compiled SO rules... as noted
 > previously, the textual rules are another matter and any snort can run them,
 > generally speaking... some options and features may need to be edited in them
 > but for the most part they are operable...
 >
 > > By the way, I ran snort for 10 hrs last night with 0 alerts. I actually
tried to
 > > manually trigger some alerts like so:
 > > 1. wget http://cnn.com/cmd.exe
 > > 2. http://testmyids.com/
 > > 3. Pinging the snort server
 > >
 > > This was just based on some lazy googling, i'm not really sure there are even
 > > rules loaded for this by default and have not yet looked into the rules being
 > > loaded.
 >
 > when snort starts up it outputs a lot of data about its configuration... when in
 > daemon mode, this information is sent to syslog... on my ubuntu, this
 > information is found written to both /var/log/syslog and /var/log/daemon.log
 > files...
 >
 > grep -E "$(cat /etc/hostname) snort" /var/log/syslog
 >
 > OR
 >
 > grep -E "$(cat /etc/hostname) snort" /var/log/daemon.log
 >
 >
 > anyway, during the start up, you will see or find something like this...
 >
 > [quote]
 > +++++++++++++++++++++++++++++++++++++++++++++++++++
 > Initializing rule chains...
 >
 > 4343 Snort rules read
 > 3931 detection rules
 > 150 decoder rules
 > 262 preprocessor rules
 > 4343 Option Chains linked into 250 Chain Headers
 > 0 Dynamic rules
 > +++++++++++++++++++++++++++++++++++++++++++++++++++
 > [/quote]
 >
 > which tells us the number of rules being used... in the above, the detection
 > rules count appears to be both, text and SO, rules... while the SO rules are
 > also called "dynamic rules", they are not the same as the "Dynamic rules"
 > counted in the above... those are a different type of "dynamic" in that they are
 > not used until an enabling rule is triggered... then the related dynamic rule(s)
 > are turned on and may fire based on the data...
 >
 > so there you can see the number of rules loaded... if you want to test your
 > snort to be sure that it is actually seeing traffic, then you can start it in
 > "packet" mode where it will spew what it sees across the screen rather like
 > tcpdump... just run snort with no command line options... CTRL-C to terminate
it...
 >
 > if you want to test that your snort is seeing traffic and will generate alerts,
 > let me know and i can post a rules file that will alert of most any/all
 > (standard) traffic... i've done this a couple of times in recent months and
 > there have been several threads where i've helped others with this... i'm fairly
 > sure that uncle google might even be able to point to them with appropriate
 > google-fu search terms... "local-test.rules snort-users" would be a good phrase
 > to start with, i think ;)
 >
 > > Thanks again!
 > >
 > >
 > > > Date: Sun, 18 Aug 2013 09:31:29 -0400
 > > > From: wkitty42 () windstream net
 > > > To: snort-users () lists sourceforge net
 > > > Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled with an
 > > older version of the dynamic engine
 > > >
 > > > On 8/18/2013 00:00, Mike H wrote:
 > > > > Thanks for the response Waldo, that did the trick! I delete the rules
and Snort
 > > > > runs fine. Seems so obvious now--files not compatible==>delete files :)
 > > >
 > > > pretty much... and the reasoning is twofold...
 > > >
 > > > 1. to remove incompatible files
 > > > 2. to remove possibly corrupted files that can be replaced
 > > >
 > > > now, something else is that i did get slightly confused... i was thinking
of the
 > > > engine, reading "the rules" in your post but i was looking at the
 > > > preprocessors... in our past, we've had the situation where an update didn't
 > > > remove older libraries and that caused snort to fall over... the solution
there
 > > > was to remove the libraries and reinstall snort to put only the new
libraries it
 > > > needed in place... the SO rules are basically libraries... SO means shared
 > > > object which is basically the same thing as a dll (dynamic linked library) in
 > > > the winwhatever world...
 > > >
 > > > but, removing those incompatible rules is the answer because when you do
locate
 > > > the proper ones, they may not have the same names or all of them may not
be used
 > > > so older ones would be left behind...
 > > >
 > > > > According to your post this also puts the "newer and proper SO files
back in
 > > > > place". I believe you are implying (or at least I am inferring) that
the latest
 > > > > ruleset comes prepackaged with snort (where are those SO files?). Ok, makes
 > > > > sense--but the user still needs to update the rules at some point.
 > > >
 > > > no... there are no rules distributed /with/ snort... we must also note that
 > > > there is a difference between the rules and the engine... look closely at
your
 > > > error and you'll see that it references both the engine and the rule...
 > > >
 > > > to be more specific, it is telling you that you are trying to run a SO
rule that
 > > > is compiled for dynamic engine 1.0 but your snort is running dynamic engine
 > > > 2.1... 1.0 != 2.1 so they are incompatible...
 > > >
 > > > > So, if I am reading that right it means that I can't just go out to
 > > > > http://www.snort.org/snort-rules/, grab the latest "Registered User"
rules and
 > > > > install them? That seems odd, am I missing something?
 > > >
 > > > they have to be the ones for your version of snort... for example, you
can't use
 > > > the 2.9.5.3 rules with 2.9.5.0... especially the SO rules and even more
 > > > especially if the SO engine(s) have changed...
 > > >
 > > > > The Snort install instructions explicitly point you to download and
install the
 > > > > latest rules, like so:
 > > > >
 > > > > /sudo tar zxvf snortrules-snapshot-2950.tar.gz -C /usr/local/snort/
 > > > > /sudo mkdir /usr/local/snort/lib/snort_dynamicrules/
 > > > > /sudo cp
/usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.5.0/* \/
 > > > > //usr/local/snort/lib/snort_dynamicrules/
 > > > > /sudo touch /usr/local/snort/rules/white_list.rules/
 > > > > /sudo touch /usr/local/snort/rules/black_list.rules/
 > > > > /sudo ldconfig/
 > > >
 > > > 1. where do you find these instructions?
 > > > 2. what version of snort are you running? snort -V
 > > > 3. what specific linux are you running? is it really ubuntu 10.4?
 > > >
 > > > > But that just takes me back to the same compatibility error below. I'm sure
 > > I am
 > > > > screwing something up here, just not sure what. Any thoughts on how I
can get
 > > > > the latest rules from the website loaded?
 > > >
 > > > i don't think it is you but there is some miscommunication somewhere ;)
 > > >
 > > > > I was hoping to understand how to do this manually, then move on to
installing
 > > > > Pulled Pork. Appreciate the help!
 > > >
 > > > not a problem... we'll get ya sorted out before too long :)
 > > >
 > > > > > Date: Sat, 17 Aug 2013 20:48:34 -0400
 > > > > > From: wkitty42 () windstream net
 > > > > > To: snort-users () lists sourceforge net
 > > > > > Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled
with an
 > > > > older version of the dynamic engine
 > > > > >
 > > > > > On 8/17/2013 13:38, Michael Heard wrote:
 > > > > > > ERROR: Dynamic detection lib
 > > > > /usr/local/snort/lib/snort_dynamicrules/nntp.so 1.0
 > > > > > > isn't compatible with the current dynamic engine library
 > > > > > > /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so 2.1.
 > > > > > > The dynamic detection lib is compiled with an older version of the
dynamic
 > > > > engine.
 > > > > > > Fatal Error, Quitting../
 > > > > > >
 > > > > > > The error seems to indicate that I need a newer dynamic rule set
that is
 > > > > > > compatible with the dynamicengine I am running.
 > > > > >
 > > > > > it is not just the rules set that must be compatible but also the
shared so
 > > > > > dynamic engine files... shut down your snort, and remove the SO files
in your
 > > > > > /usr/local/snort/lib/snort_dynamicengine/ directory... then reinstall
 > > snort to
 > > > > > put the newer and proper SO files back in place... then restart your
 > > snort and
 > > > > > you should be good to go... that is if i have grabbed the proper
 > > directory from
 > > > > > your post where the problem lies...




-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: