Re: Interesting observation with with so rules

[Y M <snort () outlook com>]

Hi James

Which version of pulledpork are using?

Sent from Phone
________________________________
From: James Lay<mailto:jlay () slave-tothe-box net>
Sent: ‎10/‎11/‎2013 6:13 PM
To: Snort-users<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Interesting observation with with so rules

So here's what I got...a minimal config just for use with pulledpork:

var CONF_PATH /opt/etc/snort
var RULE_PATH /opt/etc/snort/rules
var LIB_PATH /usr/local/lib
var SORULE_PATH /opt/etc/snort/so_rules
var PREPROC_RULE_PATH $RULE_PATH/preproc_rules
var WHITE_LIST_PATH $RULE_PATH/iplists
var BLACK_LIST_PATH $RULE_PATH/iplists

dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/local/lib/snort_dynamicrules

include /opt/etc/snort/classification.config
include /opt/etc/snort/reference.config

include $SORULE_PATH/bad-traffic.rules


If I leave the bad-traffic.rules line and try to dump the stubs, here's
what I get:

/opt/bin/snort -c /opt/etc/snort/sid-msgmap.conf
--dump-dynamic-rules=/opt/etc/snort/so_rules/
Running in Rule Dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/opt/etc/snort/sid-msgmap.conf"
ERROR: /opt/etc/snort//opt/etc/snort/so_rules/bad-traffic.rules(0)
Unable to open rules file
"/opt/etc/snort//opt/etc/snort/so_rules/bad-traffic.rules": No such file
or directory.

Fatal Error, Quitting..

If I comment it out, everything works....is there something I'm totally
missing?  Thanks for the assist all...setting up a new machine and this
has me stumped.

James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!