Snort mailing list archives

Re: dump dynamic rules problem.

From: Steven Sturges <steve.sturges () sourcefire com>
Date: Wed, 23 Dec 2009 09:02:00 -0500

What other command line arguments are you passing to snort?

When Snort prints out the version information and related for each
of the various objects loaded, it is operating in its normal
run mode.

Husnu Demir wrote:

Yes I tried that option also, but no luck. There is no rules files in /tmp/ dir.

I used the *.rules files in so_rules directory and run the snort; It gave me the
following result;

..
..

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.1 (Build 114)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.6 2008-01-28

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build 17>
           Rules Object: netbios  Version 1.0  <Build 1>
           Rules Object: imap  Version 1.0  <Build 1>
           Rules Object: web-client  Version 1.0  <Build 1>
           Rules Object: nntp  Version 1.0  <Build 1>
           Rules Object: dos  Version 1.0  <Build 1>
           Rules Object: smtp  Version 1.0  <Build 1>
           Rules Object: web-misc  Version 1.0  <Build 1>
           Rules Object: sql  Version 1.0  <Build 1>
           Rules Object: multimedia  Version 1.0  <Build 1>
           Rules Object: misc  Version 1.0  <Build 1>
           Rules Object: p2p  Version 1.0  <Build 1>
           Rules Object: web-activex  Version 1.0  <Build 1>
           Rules Object: chat  Version 1.0  <Build 1>
           Rules Object: exploit  Version 1.0  <Build 1>
           Rules Object: bad-traffic  Version 1.0  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
           Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version 1.0
<Build 1>
           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>


So it is working. BUt I could not dump the files. And there is no error.

Thanks.

hdemir.

Steven Sturges wrote:

Pretty sure you need an = between the option and the path, ie.

/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/

Husnu Demir wrote:

Hi People,


/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ command is not
working properly.

/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
Running in Rule Dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: /tmp
ERROR: snort.c(5049) Please specify the directory path for dumping the dynamic rules
Fatal Error, Quitting..



When I try

/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
Running in Rule Dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Dumping dynamic rules...
  Finished dumping dynamic rules.
Snort exiting

ls /tmp
total 0



My snort config ..

snips..
..

dynamicdetection directory /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
..


uname -a
Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009 x86_64 GNU/Linux

Also I used precompiled Ubuntu 8.04 rules.so.


Thanks.

hdemir.

I used

------------------------------------------------------------------------

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

dump dynamic rules problem. Husnu Demir (Dec 22)
- Re: dump dynamic rules problem. Steven Sturges (Dec 22)
  - Re: dump dynamic rules problem. Husnu Demir (Dec 23)
    - Re: dump dynamic rules problem. Steven Sturges (Dec 23)
    - Re: dump dynamic rules problem. Husnu Demir (Dec 23)
    - Re: dump dynamic rules problem. Matt Watchinski (Dec 23)
    - Re: dump dynamic rules problem. Husnu Demir (Dec 23)