Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Interesting observation with with so rules

From: Y M <snort () outlook com>
Date: Fri, 11 Oct 2013 16:01:12 +0000
I just noticed that you are manually dumping the rules and not from PulledPork, I was reading from my phone, sorry. The 
reason I asked which version of PulledPork is because since v0.7.0 , PulledPork dumps the the rules into the same 
snort.rules file, from pulledpork.conf:
##### Deprecated - The stubs are now  categorically written to the  single rule file!
# sostub_path=/usr/local/etc/snort/rules/so_rules.rules

Hence Snort was is not able to find $SORULE_PATH/bad-traffic.rules. But I guess that's not the issue after all!
ThanksYM


To: snort-users () lists sourceforge net
Date: Fri, 11 Oct 2013 09:33:18 -0600
From: jlay () slave-tothe-box net
Subject: Re: [Snort-users] Interesting observation with with so rules

On 2013-10-11 09:28, Y M wrote:

Hi James

 Which version of pulledpork are using?

 Sent from Phone


Latest...0.7.0, however this happens when I try it manually, as per:

http://www.snort.org/snort-rules/shared-object-rules

But ultimately the goal is to have pp do it all..but I get the same 
error attempting to use pp, so eh..I think I need to at least be able to 
do it manually successfully first ;)  I have no idea why it's prepending 
the CONF_PATH with the SORULE_PATH..makes no sense :(  Thanks YM.

James



-------------------------
 From: James Lay [1]
 Sent: ‎10/‎11/‎2013 6:13 PM
 To: Snort-users [2]
 Subject: [Snort-users] Interesting observation with with so rules

So here's what I got...a minimal config just for use with pulledpork:

 var CONF_PATH /opt/etc/snort
 var RULE_PATH /opt/etc/snort/rules
 var LIB_PATH /usr/local/lib
 var SORULE_PATH /opt/etc/snort/so_rules
 var PREPROC_RULE_PATH $RULE_PATH/preproc_rules
 var WHITE_LIST_PATH $RULE_PATH/iplists
 var BLACK_LIST_PATH $RULE_PATH/iplists

 dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
 dynamicdetection directory /usr/local/lib/snort_dynamicrules

 include /opt/etc/snort/classification.config
 include /opt/etc/snort/reference.config

 include $SORULE_PATH/bad-traffic.rules

 If I leave the bad-traffic.rules line and try to dump the stubs,
here's
 what I get:

 /opt/bin/snort -c /opt/etc/snort/sid-msgmap.conf
 --dump-dynamic-rules=/opt/etc/snort/so_rules/
 Running in Rule Dump mode

 --== Initializing Snort ==--
 Initializing Output Plugins!
 Initializing Preprocessors!
 Initializing Plug-ins!
 Parsing Rules file "/opt/etc/snort/sid-msgmap.conf"
 ERROR: /opt/etc/snort//opt/etc/snort/so_rules/bad-traffic.rules(0)
 Unable to open rules file
 "/opt/etc/snort//opt/etc/snort/so_rules/bad-traffic.rules": No such
file
 or directory.

 Fatal Error, Quitting..

 If I comment it out, everything works....is there something I'm
totally
 missing? Thanks for the assist all...setting up a new machine and
this
 has me stumped.

 James



------------------------------------------------------------------------------
 October Webinars: Code for Performance
 Free Intel webinars can help you accelerate application performance.
 Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
most from
 the latest Intel processors and coprocessors. See abstracts and
register >
 
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
[3]
 _______________________________________________
 Snort-users mailing list
 Snort-users () lists sourceforge net
 Go to this URL to change user options or unsubscribe:
 https://lists.sourceforge.net/lists/listinfo/snort-users [4]
 Snort-users list archive:
 http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[5]

 Please visit http://blog.snort.org [6] to stay current on all the
latest Snort news!


Links:
------
[1] mailto:jlay () slave-tothe-box net
[2] mailto:snort-users () lists sourceforge net
[3]

http://pubads.g.doubleclick.net/gampad/clk?id=60134071&amp;iu=/4140/ostg.clktrk
[4] https://lists.sourceforge.net/lists/listinfo/snort-users
[5] 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[6] http://blog.snort.org



------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

                                          
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: