Snort mailing list archives

Re: dump dynamic rules problem.

From: Husnu Demir <hdemir () metu edu tr>
Date: Wed, 23 Dec 2009 11:45:24 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes I tried that option also, but no luck. There is no rules files in /tmp/ dir.

I used the *.rules files in so_rules directory and run the snort; It gave me the
following result;

..
..

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.1 (Build 114)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.6 2008-01-28

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build 17>
           Rules Object: netbios  Version 1.0  <Build 1>
           Rules Object: imap  Version 1.0  <Build 1>
           Rules Object: web-client  Version 1.0  <Build 1>
           Rules Object: nntp  Version 1.0  <Build 1>
           Rules Object: dos  Version 1.0  <Build 1>
           Rules Object: smtp  Version 1.0  <Build 1>
           Rules Object: web-misc  Version 1.0  <Build 1>
           Rules Object: sql  Version 1.0  <Build 1>
           Rules Object: multimedia  Version 1.0  <Build 1>
           Rules Object: misc  Version 1.0  <Build 1>
           Rules Object: p2p  Version 1.0  <Build 1>
           Rules Object: web-activex  Version 1.0  <Build 1>
           Rules Object: chat  Version 1.0  <Build 1>
           Rules Object: exploit  Version 1.0  <Build 1>
           Rules Object: bad-traffic  Version 1.0  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
           Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version 1.0
<Build 1>
           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>


So it is working. BUt I could not dump the files. And there is no error.

Thanks.

hdemir.

Steven Sturges wrote:

Pretty sure you need an = between the option and the path, ie.

/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/

Husnu Demir wrote:

Hi People,


/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ command is not
working properly.

/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
Running in Rule Dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: /tmp
ERROR: snort.c(5049) Please specify the directory path for dumping the dynamic rules
Fatal Error, Quitting..



When I try

/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
Running in Rule Dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Dumping dynamic rules...
  Finished dumping dynamic rules.
Snort exiting

ls /tmp
total 0



My snort config ..

snips..
..

dynamicdetection directory /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
..


uname -a
Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009 x86_64 GNU/Linux

Also I used precompiled Ubuntu 8.04 rules.so.


Thanks.

hdemir.

I used


------------------------------------------------------------------------

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev


------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksx5q4ACgkQHgR50XBBy+lOBQCgkT5GCaeB35Yl5dDkql1aAjdc
gWEAn0AV+xAn6F1FoVo2gIKG8wH/ohmq
=0PMB
-----END PGP SIGNATURE-----

Attachment: hdemir.vcf
Description:

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

dump dynamic rules problem. Husnu Demir (Dec 22)
- Re: dump dynamic rules problem. Steven Sturges (Dec 22)
  - Re: dump dynamic rules problem. Husnu Demir (Dec 23)
    - Re: dump dynamic rules problem. Steven Sturges (Dec 23)
    - Re: dump dynamic rules problem. Husnu Demir (Dec 23)
    - Re: dump dynamic rules problem. Matt Watchinski (Dec 23)
    - Re: dump dynamic rules problem. Husnu Demir (Dec 23)