Re: dynamic (so) rules

[chris ryan <chris.ryan () gmx de>]

chris ryan wrote:
> Just for curiosity, can anybody explain that to me?

Another related question is why the loaded(!) dynamic rules are not
shown as active, while the corresponding libraries are (the path to the
merged dynamic rules file is totally correct, and there is no error
message at all):

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
4718 Snort rules read
    4527 detection rules
    57 decoder rules
    134 preprocessor rules
4718 Option Chains linked into 538 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

If i disable the loading of the dynamic rules in the snort.conf, but
leave the libararies in, i get some of these error messages, so i guess,
the rules are loaded in my previous example:

DynamicPlugin: Rule [3:7019] not enabled in configuration, rule will not
be used.
DynamicPlugin: Rule [3:8092] not enabled in configuration, rule will not
be used.
DynamicPlugin: Rule [3:10127] not enabled in configuration, rule will
not be used.









-------------
snort startup
-------------

Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from /usr/lib/snort_dynamicrule...
  Loading dynamic detection library
/usr/lib/snort_dynamicrule/misc.so... done
  Loading dynamic detection library
/usr/lib/snort_dynamicrule/web-client.so... done
  Loading dynamic detection library
/usr/lib/snort_dynamicrule/exploit.so... done
  Loading dynamic detection library
/usr/lib/snort_dynamicrule/nntp.so... done
  Loading dynamic detection library
/usr/lib/snort_dynamicrule/smtp.so... done
  Loading dynamic detection library
/usr/lib/snort_dynamicrule/bad-traffic.so... done
  Loading dynamic detection library
/usr/lib/snort_dynamicrule/netbios.so... done
  Loading dynamic detection library /usr/lib/snort_dynamicrule/dos.so...
done
  Loading dynamic detection library /usr/lib/snort_dynamicrule/p2p.so...
done
  Finished Loading all dynamic detection libs from
/usr/lib/snort_dynamicrule
Loading all dynamic preprocessor libs from
/usr/lib/snort_dynamicpreprocessor...
  Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done
  Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done
  Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... done
  Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done
  Finished Loading all dynamic preprocessor libs from
/usr/lib/snort_dynamicpreprocessor


[...]


+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
4718 Snort rules read
    4527 detection rules
    57 decoder rules
    134 preprocessor rules
4718 Option Chains linked into 538 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++


[...]


        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.2.1 (Build 16)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
           (C) Copyright 1998-2008 Sourcefire Inc., et al.
           Using PCRE version: 7.4 2007-09-21

           Rules Engine: SF_SNORT_DETECTION_ENGINE
                         Version 1.8  <Build 14>
           Rules Object: p2p  Version 1.0  <Build 1>
           Rules Object: dos  Version 1.0  <Build 1>
           Rules Object: netbios  Version 1.0  <Build 1>
           Rules Object: bad-traffic  Version 1.0  <Build 1>
           Rules Object: smtp  Version 1.0  <Build 1>
           Rules Object: nntp  Version 1.0  <Build 1>
           Rules Object: exploit  Version 1.0  <Build 1>
           Rules Object: web-client  Version 1.0  <Build 1>
           Rules Object: misc  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET  Version 1.1  <Build 10>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 2>
           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSLPP  Version 1.0  <Build 1>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 7>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 1>




----------
snort.conf
----------

# ===========================================
# Configure dynamic loaded libraries
# ===========================================

dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor
dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /usr/lib/snort_dynamicrule


# ------------------------
# VRT DYNAMIC RULES
# ------------------------
# If your using the so rules you need to do something like the following
# cd into the so_rules directory where you built the so rules
# cat *.rules >> so-rules.rules
# cp to $RULE_PATH/so-rules.rules
# uncomment this line

include $RULE_PATH/so-rules.rules

# ------------------------
# PREPROCESSOR AND DECODER
# ------------------------
 include $PREPROC_RULE_PATH/preprocessor.rules
 include $PREPROC_RULE_PATH/decoder.rules





-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users