Re: Missing shared object files in snapshot download file

["Joel Esler (jesler)" <jesler () cisco com>]

Let me ask someone to take a look..

Thanks.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos


On Aug 26, 2014, at 11:55 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:

No hijacking this thread, just following up. The difference of the so rules is still there with the latest ruleset. 
Joel, is that something we have to worry about or just move on.

[root@dev tmp]# md5sum 19_08_2014/snortrules-snapshot-2962.tar.gz
2b84e9aee0f2eaf32e51a1375ec824f5  19_08_2014/snortrules-snapshot-2962.tar.gz

[root@dev tmp]# md5sum 26_08_2014/snortrules-snapshot-2962.tar.gz
283485ed4ad59fab8aad91ffbb5c56da  26_08_2014/snortrules-snapshot-2962.tar.gz

[root@dev tmp]# ls -l 19_08_2014/snortrules-snapshot-2962.tar.gz
-rwxr--r--. 1 root root 33080965 Aug 27 06:42 19_08_2014/snortrules-snapshot-2962.tar.gz

[root@dev tmp]# ls -l 26_08_2014/snortrules-snapshot-2962.tar.gz
-rwxr--r--. 1 root root 25380209 Aug 27 06:43 26_08_2014/snortrules-snapshot-2962.tar.gz

[root@dev tmp]# ls -l 19_08_2014/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.2/
total 4104
-rwxr-xr-x. 1 1210 1210  85018 Aug 16 01:11 browser-ie.so
-rwxr-xr-x. 1 1210 1210  45453 Aug 16 01:11 browser-other.so
-rwxr-xr-x. 1 1210 1210  72645 Aug 16 01:11 browser-plugins.so
-rwxr-xr-x. 1 1210 1210  54282 Aug 16 01:11 exploit-kit.so
-rwxr-xr-x. 1 1210 1210  60975 Aug 16 01:11 file-executable.so
-rwxr-xr-x. 1 1210 1210  98278 Aug 16 01:11 file-flash.so
-rwxr-xr-x. 1 1210 1210 153859 Aug 16 01:11 file-image.so
-rwxr-xr-x. 1 1210 1210  45232 Aug 16 01:11 file-java.so
-rwxr-xr-x. 1 1210 1210 197997 Aug 16 01:11 file-multimedia.so
-rwxr-xr-x. 1 1210 1210 499589 Aug 16 01:11 file-office.so
-rwxr-xr-x. 1 1210 1210 124947 Aug 16 01:11 file-other.so
-rwxr-xr-x. 1 1210 1210  64942 Aug 16 01:11 file-pdf.so
-rwxr-xr-x. 1 1210 1210  47242 Aug 16 01:11 indicator-shellcode.so
-rwxr-xr-x. 1 1210 1210  82001 Aug 16 01:11 malware-cnc.so
-rwxr-xr-x. 1 1210 1210  66810 Aug 16 01:11 malware-other.so
-rwxr-xr-x. 1 1210 1210 172360 Aug 16 01:11 netbios.so
-rwxr-xr-x. 1 1210 1210  57895 Aug 16 01:11 os-linux.so
-rwxr-xr-x. 1 1210 1210  51362 Aug 16 01:11 os-other.so
-rwxr-xr-x. 1 1210 1210 655405 Aug 16 01:11 os-windows.so
-rwxr-xr-x. 1 1210 1210  67176 Aug 16 01:11 policy-social.so
-rwxr-xr-x. 1 1210 1210 179082 Aug 16 01:11 protocol-dns.so
-rwxr-xr-x. 1 1210 1210  46804 Aug 16 01:11 protocol-icmp.so
-rwxr-xr-x. 1 1210 1210  43592 Aug 16 01:11 protocol-nntp.so
-rwxr-xr-x. 1 1210 1210  55030 Aug 16 01:11 protocol-other.so
-rwxr-xr-x. 1 1210 1210  71616 Aug 16 01:11 protocol-snmp.so
-rwxr-xr-x. 1 1210 1210  75597 Aug 16 01:11 protocol-voip.so
-rwxr-xr-x. 1 1210 1210  42403 Aug 16 01:11 pua-p2p.so
-rwxr-xr-x. 1 1210 1210  49323 Aug 16 01:11 server-apache.so
-rwxr-xr-x. 1 1210 1210  75468 Aug 16 01:11 server-iis.so
-rwxr-xr-x. 1 1210 1210 127798 Aug 16 01:11 server-mail.so
-rwxr-xr-x. 1 1210 1210  44208 Aug 16 01:11 server-mysql.so
-rwxr-xr-x. 1 1210 1210  76595 Aug 16 01:11 server-oracle.so
-rwxr-xr-x. 1 1210 1210 475607 Aug 16 01:11 server-other.so
-rwxr-xr-x. 1 1210 1210  59178 Aug 16 01:11 server-webapp.so

[root@dev tmp]# ls -l 26_08_2014/so_rules/precompiled/RHEL-6-0/x86-64/2.9.6.2/
total 3596
-rwxr-xr-x. 1 1210 1210 314212 Aug  5 21:23 bad-traffic.so
-rwxr-xr-x. 1 1210 1210  63365 Aug  5 21:23 browser-ie.so
-rwxr-xr-x. 1 1210 1210  44885 Aug  5 21:23 chat.so
-rwxr-xr-x. 1 1210 1210 359561 Aug  5 21:23 dos.so
-rwxr-xr-x. 1 1210 1210 595735 Aug  5 21:23 exploit.so
-rwxr-xr-x. 1 1210 1210  64323 Aug  5 21:23 file-flash.so
-rwxr-xr-x. 1 1210 1210  46722 Aug  5 21:23 icmp.so
-rwxr-xr-x. 1 1210 1210  48974 Aug  5 21:23 imap.so
-rwxr-xr-x. 1 1210 1210 214644 Aug  5 21:23 misc.so
-rwxr-xr-x. 1 1210 1210  74443 Aug  5 21:23 multimedia.so
-rwxr-xr-x. 1 1210 1210 237225 Aug  5 21:23 netbios.so
-rwxr-xr-x. 1 1210 1210  43510 Aug  5 21:23 nntp.so
-rwxr-xr-x. 1 1210 1210  42379 Aug  5 21:23 p2p.so
-rwxr-xr-x. 1 1210 1210 145183 Aug  5 21:23 smtp.so
-rwxr-xr-x. 1 1210 1210  71525 Aug  5 21:23 snmp.so
-rwxr-xr-x. 1 1210 1210  74726 Aug  5 21:23 specific-threats.so
-rwxr-xr-x. 1 1210 1210  56905 Aug  5 21:23 web-activex.so
-rwxr-xr-x. 1 1210 1210 999507 Aug  5 21:23 web-client.so
-rwxr-xr-x. 1 1210 1210  45689 Aug  5 21:23 web-iis.so
-rwxr-xr-x. 1 1210 1210  99373 Aug  5 21:23 web-misc.so

YM
________________________________
From: snort () outlook com<mailto:snort () outlook com>
To: greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de>
Date: Sun, 24 Aug 2014 14:16:17 +0000
CC: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Missing shared object files in snapshot download file



> From: greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de>
> To: snort () outlook com<mailto:snort () outlook com>
> CC: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
> Subject: Aw: RE: [Snort-users] Missing shared object files in snapshot download file
> Date: Sat, 23 Aug 2014 23:05:12 +0200
>
> Ah ok, I see.
> Thank you for your help YM.

No problem! Can you verify at your end if you are seeing the same?

YM

> Greg
>
>
>
> Gesendet: Samstag, 23. August 2014 um 21:55 Uhr
> Von: "Y M" <snort () outlook com<mailto:snort () outlook com>>
> An: "greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de>" 
> <greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de>>
> Cc: snort-users <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
> Betreff: RE: [Snort-users] Missing shared object files in snapshot download file
>
> Which version/date of the rules are you running?
>
> The reason I am asking is this:
>
> The ruleset released until the 19 August contained the new the shared objected categories:
>
>
> dev@box:/tmp# ls -l old/snortrules-snapshot-2962.tar.gz
> -rwxrwxrwx 1 dev dev 33080965 Aug 21 10:34 snortrules-snapshot-2962.tar.gz
>
> dev@box:/tmp$ md5sum old/snortrules-snapshot-2962.tar.gz
> 2b84e9aee0f2eaf32e51a1375ec824f5
>
> The ruleset released on the 21 August was stripped out of these new shared object rules:
>
>
> dev@box:/tmp# ls -l new/snortrules-snapshot-2962.tar.gz
> -rwxrwxrwx 1 dev dev 25374704 Aug 21 10:34 snortrules-snapshot-2962.tar.gz
>
> dev@box:/tmp$ md5sum new/snortrules-snapshot-2962.tar.gz
> 9ddb9552995f5c637d11d690623bf414  snortrules-snapshot-2962.tar.gz
>
> Note the size difference. This is also evident if you list (ls -l) the so_rules directory of both rulesets. The old 
> one definitely contains the categories as specified by the blog post, the newer one does not. If your rules stubs are 
> individually included in snort.conf rather than the all-one-file (snort.rules) as generated by PulledPork, then the 
> above could be the reason.
>
> YM
>
>
> > From: greg.mcnathansonsnuf003 () gmx-topmail de<mailto:greg.mcnathansonsnuf003 () gmx-topmail de>
> > To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
> > Date: Sat, 23 Aug 2014 19:48:30 +0200
> > Subject: [Snort-users] Missing shared object files in snapshot download file
> >
> > I read about the reconstruction of shared object rules in the blog. So I'm confused about the missing file report. 
> > (see below)
> >
> > ....
> > Aug 23 19:22:40 c1 snort[801]: FATAL ERROR: /etc/snort//etc/snort/so_rules/browser-other.rules(0) Unable to open 
> > rules file "/etc/snort//etc/snort/so_rules/browser-other.rules": No such file or directo
> > Aug 23 19:22:40 c1 snort[796]: Starting snort: [FAILED]
> > Aug 23 19:22:40 c1 snort[805]: Stopping snort: [FAILED]
> > Aug 23 19:22:40 c1 systemd[1]: Started Snort IDS system.
> > ...
> >
> > The stub file couldn't be generated because the browser-other.so file isn't delivered in the latest snapshot 
> > download file.
> > There are more files missing not only browser-other.so. I expected all files listed in the blog to be included in 
> > the snapshot download file.
> >
> > Is this a planned measurement of the reconstruction of shared object rules?
> >
> > Greg
> >
> >
> > ------------------------------------------------------------------------------
> > Slashdot TV.
> > Video for Nerds. Stuff that matters.
> > http://tv.slashdot.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users[https://lists.sourceforge.net/lists/listinfo/snort-users]
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users[http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users]
> >
> > Please visit http://blog.snort.org[http://blog.snort.org] to stay current on all the latest Snort news!

------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that 
matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge 
net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current 
on all the latest Snort news!

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!