Snort mailing list archives
Re: dynamic (so) rules
From: chris ryan <chris.ryan () gmx de>
Date: Tue, 01 Jul 2008 16:47:15 +0200
chris ryan wrote:
Just for curiosity, can anybody explain that to me?
Another related question is why the loaded(!) dynamic rules are not shown as active, while the corresponding libraries are (the path to the merged dynamic rules file is totally correct, and there is no error message at all): +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 4718 Snort rules read 4527 detection rules 57 decoder rules 134 preprocessor rules 4718 Option Chains linked into 538 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ If i disable the loading of the dynamic rules in the snort.conf, but leave the libararies in, i get some of these error messages, so i guess, the rules are loaded in my previous example: DynamicPlugin: Rule [3:7019] not enabled in configuration, rule will not be used. DynamicPlugin: Rule [3:8092] not enabled in configuration, rule will not be used. DynamicPlugin: Rule [3:10127] not enabled in configuration, rule will not be used. ------------- snort startup ------------- Loading dynamic engine /usr/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/lib/snort_dynamicrule... Loading dynamic detection library /usr/lib/snort_dynamicrule/misc.so... done Loading dynamic detection library /usr/lib/snort_dynamicrule/web-client.so... done Loading dynamic detection library /usr/lib/snort_dynamicrule/exploit.so... done Loading dynamic detection library /usr/lib/snort_dynamicrule/nntp.so... done Loading dynamic detection library /usr/lib/snort_dynamicrule/smtp.so... done Loading dynamic detection library /usr/lib/snort_dynamicrule/bad-traffic.so... done Loading dynamic detection library /usr/lib/snort_dynamicrule/netbios.so... done Loading dynamic detection library /usr/lib/snort_dynamicrule/dos.so... done Loading dynamic detection library /usr/lib/snort_dynamicrule/p2p.so... done Finished Loading all dynamic detection libs from /usr/lib/snort_dynamicrule Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor... Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so... done Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so... done Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor [...] +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... 4718 Snort rules read 4527 detection rules 57 decoder rules 134 preprocessor rules 4718 Option Chains linked into 538 Chain Headers 0 Dynamic rules +++++++++++++++++++++++++++++++++++++++++++++++++++ [...] --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.2.1 (Build 16) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2008 Sourcefire Inc., et al. Using PCRE version: 7.4 2007-09-21 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.8 <Build 14> Rules Object: p2p Version 1.0 <Build 1> Rules Object: dos Version 1.0 <Build 1> Rules Object: netbios Version 1.0 <Build 1> Rules Object: bad-traffic Version 1.0 <Build 1> Rules Object: smtp Version 1.0 <Build 1> Rules Object: nntp Version 1.0 <Build 1> Rules Object: exploit Version 1.0 <Build 1> Rules Object: web-client Version 1.0 <Build 1> Rules Object: misc Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.1 <Build 10> Preprocessor Object: SF_DNS Version 1.1 <Build 2> Preprocessor Object: SF_DCERPC Version 1.1 <Build 4> Preprocessor Object: SF_SSLPP Version 1.0 <Build 1> Preprocessor Object: SF_SMTP Version 1.1 <Build 7> Preprocessor Object: SF_SSH Version 1.1 <Build 1> ---------- snort.conf ---------- # =========================================== # Configure dynamic loaded libraries # =========================================== dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /usr/lib/snort_dynamicrule # ------------------------ # VRT DYNAMIC RULES # ------------------------ # If your using the so rules you need to do something like the following # cd into the so_rules directory where you built the so rules # cat *.rules >> so-rules.rules # cp to $RULE_PATH/so-rules.rules # uncomment this line include $RULE_PATH/so-rules.rules # ------------------------ # PREPROCESSOR AND DECODER # ------------------------ include $PREPROC_RULE_PATH/preprocessor.rules include $PREPROC_RULE_PATH/decoder.rules ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- dynamic (so) rules chris ryan (Jul 01)
- Re: dynamic (so) rules chris ryan (Jul 01)
- Re: dynamic (so) rules Nerijus Krukauskas (Jul 01)
- Message not available
- Re: dynamic (so) rules Nerijus Krukauskas (Jul 02)
- Re: dynamic (so) rules chris ryan (Jul 02)
- Re: dynamic (so) rules Nerijus Krukauskas (Jul 02)
- Re: dynamic (so) rules Nerijus Krukauskas (Jul 01)
- Re: dynamic (so) rules chris ryan (Jul 01)
- Re: dynamic (so) rules chris ryan (Jul 02)