Snort mailing list archives
Re: Missing shared object files in snapshot download file
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 27 Aug 2014 14:00:58 +0000
Let me ask someone to take a look.. Thanks. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Aug 26, 2014, at 11:55 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: No hijacking this thread, just following up. The difference of the so rules is still there with the latest ruleset. Joel, is that something we have to worry about or just move on. [root@dev tmp]# md5sum 19_08_2014/snortrules-snapshot-2962.tar.gz 2b84e9aee0f2eaf32e51a1375ec824f5 19_08_2014/snortrules-snapshot-2962.tar.gz [root@dev tmp]# md5sum 26_08_2014/snortrules-snapshot-2962.tar.gz 283485ed4ad59fab8aad91ffbb5c56da 26_08_2014/snortrules-snapshot-2962.tar.gz [root@dev tmp]# ls -l 19_08_2014/snortrules-snapshot-2962.tar.gz -rwxr--r--. 1 root root 33080965 Aug 27 06:42 19_08_2014/snortrules-snapshot-2962.tar.gz [root@dev tmp]# ls -l 26_08_2014/snortrules-snapshot-2962.tar.gz -rwxr--r--. 1 root root 25380209 Aug 27 06:43 26_08_2014/snortrules-snapshot-2962.tar.gz [root@dev tmp]# ls -l 19_08_2014/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.2/ total 4104 -rwxr-xr-x. 1 1210 1210 85018 Aug 16 01:11 browser-ie.so -rwxr-xr-x. 1 1210 1210 45453 Aug 16 01:11 browser-other.so -rwxr-xr-x. 1 1210 1210 72645 Aug 16 01:11 browser-plugins.so -rwxr-xr-x. 1 1210 1210 54282 Aug 16 01:11 exploit-kit.so -rwxr-xr-x. 1 1210 1210 60975 Aug 16 01:11 file-executable.so -rwxr-xr-x. 1 1210 1210 98278 Aug 16 01:11 file-flash.so -rwxr-xr-x. 1 1210 1210 153859 Aug 16 01:11 file-image.so -rwxr-xr-x. 1 1210 1210 45232 Aug 16 01:11 file-java.so -rwxr-xr-x. 1 1210 1210 197997 Aug 16 01:11 file-multimedia.so -rwxr-xr-x. 1 1210 1210 499589 Aug 16 01:11 file-office.so -rwxr-xr-x. 1 1210 1210 124947 Aug 16 01:11 file-other.so -rwxr-xr-x. 1 1210 1210 64942 Aug 16 01:11 file-pdf.so -rwxr-xr-x. 1 1210 1210 47242 Aug 16 01:11 indicator-shellcode.so -rwxr-xr-x. 1 1210 1210 82001 Aug 16 01:11 malware-cnc.so -rwxr-xr-x. 1 1210 1210 66810 Aug 16 01:11 malware-other.so -rwxr-xr-x. 1 1210 1210 172360 Aug 16 01:11 netbios.so -rwxr-xr-x. 1 1210 1210 57895 Aug 16 01:11 os-linux.so -rwxr-xr-x. 1 1210 1210 51362 Aug 16 01:11 os-other.so -rwxr-xr-x. 1 1210 1210 655405 Aug 16 01:11 os-windows.so -rwxr-xr-x. 1 1210 1210 67176 Aug 16 01:11 policy-social.so -rwxr-xr-x. 1 1210 1210 179082 Aug 16 01:11 protocol-dns.so -rwxr-xr-x. 1 1210 1210 46804 Aug 16 01:11 protocol-icmp.so -rwxr-xr-x. 1 1210 1210 43592 Aug 16 01:11 protocol-nntp.so -rwxr-xr-x. 1 1210 1210 55030 Aug 16 01:11 protocol-other.so -rwxr-xr-x. 1 1210 1210 71616 Aug 16 01:11 protocol-snmp.so -rwxr-xr-x. 1 1210 1210 75597 Aug 16 01:11 protocol-voip.so -rwxr-xr-x. 1 1210 1210 42403 Aug 16 01:11 pua-p2p.so -rwxr-xr-x. 1 1210 1210 49323 Aug 16 01:11 server-apache.so -rwxr-xr-x. 1 1210 1210 75468 Aug 16 01:11 server-iis.so -rwxr-xr-x. 1 1210 1210 127798 Aug 16 01:11 server-mail.so -rwxr-xr-x. 1 1210 1210 44208 Aug 16 01:11 server-mysql.so -rwxr-xr-x. 1 1210 1210 76595 Aug 16 01:11 server-oracle.so -rwxr-xr-x. 1 1210 1210 475607 Aug 16 01:11 server-other.so -rwxr-xr-x. 1 1210 1210 59178 Aug 16 01:11 server-webapp.so [root@dev tmp]# ls -l 26_08_2014/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.2/ total 3596 -rwxr-xr-x. 1 1210 1210 314212 Aug 5 21:23 bad-traffic.so -rwxr-xr-x. 1 1210 1210 63365 Aug 5 21:23 browser-ie.so -rwxr-xr-x. 1 1210 1210 44885 Aug 5 21:23 chat.so -rwxr-xr-x. 1 1210 1210 359561 Aug 5 21:23 dos.so -rwxr-xr-x. 1 1210 1210 595735 Aug 5 21:23 exploit.so -rwxr-xr-x. 1 1210 1210 64323 Aug 5 21:23 file-flash.so -rwxr-xr-x. 1 1210 1210 46722 Aug 5 21:23 icmp.so -rwxr-xr-x. 1 1210 1210 48974 Aug 5 21:23 imap.so -rwxr-xr-x. 1 1210 1210 214644 Aug 5 21:23 misc.so -rwxr-xr-x. 1 1210 1210 74443 Aug 5 21:23 multimedia.so -rwxr-xr-x. 1 1210 1210 237225 Aug 5 21:23 netbios.so -rwxr-xr-x. 1 1210 1210 43510 Aug 5 21:23 nntp.so -rwxr-xr-x. 1 1210 1210 42379 Aug 5 21:23 p2p.so -rwxr-xr-x. 1 1210 1210 145183 Aug 5 21:23 smtp.so -rwxr-xr-x. 1 1210 1210 71525 Aug 5 21:23 snmp.so -rwxr-xr-x. 1 1210 1210 74726 Aug 5 21:23 specific-threats.so -rwxr-xr-x. 1 1210 1210 56905 Aug 5 21:23 web-activex.so -rwxr-xr-x. 1 1210 1210 999507 Aug 5 21:23 web-client.so -rwxr-xr-x. 1 1210 1210 45689 Aug 5 21:23 web-iis.so -rwxr-xr-x. 1 1210 1210 99373 Aug 5 21:23 web-misc.so YM ________________________________ From: snort () outlook com<mailto:snort () outlook com> To: greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de> Date: Sun, 24 Aug 2014 14:16:17 +0000 CC: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Missing shared object files in snapshot download file
From: greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de> To: snort () outlook com<mailto:snort () outlook com> CC: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Aw: RE: [Snort-users] Missing shared object files in snapshot download file Date: Sat, 23 Aug 2014 23:05:12 +0200 Ah ok, I see. Thank you for your help YM.
No problem! Can you verify at your end if you are seeing the same? YM
Greg Gesendet: Samstag, 23. August 2014 um 21:55 Uhr Von: "Y M" <snort () outlook com<mailto:snort () outlook com>> An: "greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de>" <greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de>> Cc: snort-users <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Betreff: RE: [Snort-users] Missing shared object files in snapshot download file Which version/date of the rules are you running? The reason I am asking is this: The ruleset released until the 19 August contained the new the shared objected categories: dev@box:/tmp# ls -l old/snortrules-snapshot-2962.tar.gz -rwxrwxrwx 1 dev dev 33080965 Aug 21 10:34 snortrules-snapshot-2962.tar.gz dev@box:/tmp$ md5sum old/snortrules-snapshot-2962.tar.gz 2b84e9aee0f2eaf32e51a1375ec824f5 The ruleset released on the 21 August was stripped out of these new shared object rules: dev@box:/tmp# ls -l new/snortrules-snapshot-2962.tar.gz -rwxrwxrwx 1 dev dev 25374704 Aug 21 10:34 snortrules-snapshot-2962.tar.gz dev@box:/tmp$ md5sum new/snortrules-snapshot-2962.tar.gz 9ddb9552995f5c637d11d690623bf414 snortrules-snapshot-2962.tar.gz Note the size difference. This is also evident if you list (ls -l) the so_rules directory of both rulesets. The old one definitely contains the categories as specified by the blog post, the newer one does not. If your rules stubs are individually included in snort.conf rather than the all-one-file (snort.rules) as generated by PulledPork, then the above could be the reason. YMFrom: greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de> To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Date: Sat, 23 Aug 2014 19:48:30 +0200 Subject: [Snort-users] Missing shared object files in snapshot download file I read about the reconstruction of shared object rules in the blog. So I'm confused about the missing file report. (see below) .... Aug 23 19:22:40 c1 snort[801]: FATAL ERROR: /etc/snort//etc/snort/so_rules/browser-other.rules(0) Unable to open rules file "/etc/snort//etc/snort/so_rules/browser-other.rules": No such file or directo Aug 23 19:22:40 c1 snort[796]: Starting snort: [FAILED] Aug 23 19:22:40 c1 snort[805]: Stopping snort: [FAILED] Aug 23 19:22:40 c1 systemd[1]: Started Snort IDS system. ... The stub file couldn't be generated because the browser-other.so file isn't delivered in the latest snapshot download file. There are more files missing not only browser-other.so. I expected all files listed in the blog to be included in the snapshot download file. Is this a planned measurement of the reconstruction of shared object rules? Greg ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users[https://lists.sourceforge.net/lists/listinfo/snort-users] Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users[http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users] Please visit http://blog.snort.org[http://blog.snort.org] to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Missing shared object files in snapshot download file greg . mcnathansonsnuf003 (Aug 23)
- Re: Missing shared object files in snapshot download file Y M (Aug 23)
- Re: Missing shared object files in snapshot download file greg . mcnathansonsnuf003 (Aug 23)
- Re: Missing shared object files in snapshot download file Y M (Aug 24)
- Re: Missing shared object files in snapshot download file Y M (Aug 26)
- Re: Missing shared object files in snapshot download file Joel Esler (jesler) (Aug 27)
- Re: Missing shared object files in snapshot download file greg . mcnathansonsnuf003 (Aug 23)
- Re: Missing shared object files in snapshot download file Y M (Aug 23)