Snort mailing list archives

Re: FW: AW: Libovar Man info.

From: Rameez Qureshi <rameez_q () hotmail co uk>
Date: Thu, 10 Apr 2014 16:15:49 +0100

Hello

I've started my snort.conf from scratch and have an error 249 snort couldn't start dynamic module path dynamic rules
I've took the rules out n # them n that still produces the error where may I find this file I have downloaded snort and 
the ruleset again and can't find the dynamic rules

Thanks
Rameez 

Sent from my iPhone

On 10 Apr 2014, at 05:20 AM, "Y M" <snort () outlook com> wrote:

line 540 from your snort.conf file says:
 
include $RULE_PATH/usr/src/rulesfile-identify.rules
 
It is missing the "/" after the "rules", compared to the other include statements. Another note is that since your 
RULE_PATH variable is defined at the beginning of your snort.conf file, you just simply append the rule name to that 
variable, for example:
 
RULE_PATH /path/to/rules/
 
then your include statement would look something like:
 
include $RULE_PATH/local.rules
 
From: rameez_q () hotmail co uk
To: wkitty42 () windstream net
Date: Thu, 10 Apr 2014 01:59:04 +0100
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW: AW: Libovar Man info.

the error I get is as follows:

root@kali:/usr/src# snort -dev -l ./log -h 192.168.0.10/24 -c snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 
2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 
7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 
8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 
44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 
1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 
7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 
8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 
34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
ERROR: snort.conf(540) Undefined variable name: RULE_PATH.
Fatal Error, Quitting..

When i add in # before the rule path in line 540 of the snort.conf then it does not throw up any error but it reads 0 
rules when initializing as follows: 

root@kali:/usr/src# snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 36 80:90 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 1533 1741 1830 
2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 7071 7144:7145 
7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 8300 8500 8509 
8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 34443:34444 41080 
44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 36 80:90 110 143 311 383 555 591 593 631 801 808 818 901 972 1158 1220 1414 
1533 1741 1830 2231 2301 2381 2809 3029 3037 3057 3128 3443 3702 4000 4343 4848 5117 5250 6080 6173 6988 7000:7001 
7071 7144:7145 7510 7770 7777 7779 8000 8008 8014 8028 8080:8082 8085 8088 8090 8118 8123 8180:8181 8222 8243 8280 
8300 8500 8509 8800 8888 8899 9000 9060 9080 9090:9091 9111 9443 9999:10000 11371 12601 15489 29991 33300 34412 
34443:34444 41080 44449 50000 50002 51423 53331 55252 55555 56712 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Tagged Packet Limit: 256
Log directory = ./log

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
0 Snort rules read
    0 detection rules
    0 decoder rules
    0 preprocessor rules
0 Option Chains linked into 0 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src       0       0       0       0
|     dst       0       0       0       0
|     any       0       0       0       0
|      nc       0       0       0       0
|     s+d       0       0       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order: activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Reload thread starting...
Reload thread started, thread 0xb6cb8b70 (4388)
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.6.0 GRE (Build 47) 
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.2.1
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.7

Commencing packet processing (pid=4383)


I have attached my snort.conf 
Thanks
Rameez

Date: Wed, 9 Apr 2014 20:42:35 -0400
From: wkitty42 () windstream net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW: AW: Libovar Man info.

On 4/9/2014 6:19 PM, Rameez Qureshi wrote:

for my snort.conf file when taking out the # out of the rule paths for rules and
for including individual rules it throws up and error and this led me to taking
out the # where snort seemed to fire correctly but did not load any rules


what error???

So im still stuck on how to load rules without getting any errors
I have attached my snort.conf

Thanks
Rameez

Date: Wed, 9 Apr 2014 14:16:35 -0400
From: wkitty42 () windstream net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] FW: AW: Libovar Man info.

On 4/9/2014 1:35 PM, Rameez Qureshi wrote:

Hello

There is only one config file, am I correct in saying that the # comments

the files out and therefore i should take these out for part 7, 8 & 9


YES! '#' are comment indicators... lines starting with them are commented out...

i was wondering why you had so many lines starting with '#' characters... in
effect you barely have a working config with it in its current state...




-- 
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!




------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate 
Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project 
now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to 
this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org 
to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: FW: AW: Libovar Man info., (continued)
- - - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
    - Re: FW: AW: Libovar Man info. Joel Esler (jesler) (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
- Re: FW: AW: Libovar Man info. waldo kitty (Apr 09)
  - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
    - Re: FW: AW: Libovar Man info. waldo kitty (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
    - Re: FW: AW: Libovar Man info. waldo kitty (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 09)
    - Re: FW: AW: Libovar Man info. Y M (Apr 09)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
    - Re: FW: AW: Libovar Man info. waldo kitty (Apr 10)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
    - Re: FW: AW: Libovar Man info. waldo kitty (Apr 10)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
    - Re: FW: AW: Libovar Man info. waldo kitty (Apr 09)
- Re: FW: AW: Libovar Man info. Y M (Apr 10)
  - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)
    - Re: FW: AW: Libovar Man info. Rameez Qureshi (Apr 10)