Re: dump dynamic rules problem.

[Matt Watchinski <mwatchinski () sourcefire com>]

Maybe you truncated the following line in your previous email, but

/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp

Snort doesn't know where the dynamic rules are if you don't give it a -c for
the snort.conf

snort -c snort.conf --dump-dynamic-rules=/tmp

Cheers,
-matt

2009/12/23 Husnu Demir <hdemir () metu edu tr>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> /usr/local/snort-2.8.5.1/bin/snort -l /var/log/snort/ -c
> /usr/local/snort-2.8.5.1/etc/snort.conf -i eth0
>
>
> hdemir.
>
> PS: I gave the last output to show that it is working with the so_rules but
> did
> not dump the so_rules.
>
>
>
>
>
> Steven Sturges wrote:
> > What other command line arguments are you passing to snort?
> >
> > When Snort prints out the version information and related for each
> > of the various objects loaded, it is operating in its normal
> > run mode.
> >
> > Husnu Demir wrote:
> > > Yes I tried that option also, but no luck. There is no rules files in
> /tmp/ dir.
> > > I used the *.rules files in so_rules directory and run the snort; It
> gave me the
> > > following result;
> > >
> > > ..
> > > ..
> > >
> > >         --== Initialization Complete ==--
> > >
> > >    ,,_     -*> Snort! <*-
> > >   o"  )~   Version 2.8.5.1 (Build 114)
> > >    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
> > >            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
> > >            Using PCRE version: 7.6 2008-01-28
> > >
> > >            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build
> 17>
> > >            Rules Object: netbios  Version 1.0  <Build 1>
> > >            Rules Object: imap  Version 1.0  <Build 1>
> > >            Rules Object: web-client  Version 1.0  <Build 1>
> > >            Rules Object: nntp  Version 1.0  <Build 1>
> > >            Rules Object: dos  Version 1.0  <Build 1>
> > >            Rules Object: smtp  Version 1.0  <Build 1>
> > >            Rules Object: web-misc  Version 1.0  <Build 1>
> > >            Rules Object: sql  Version 1.0  <Build 1>
> > >            Rules Object: multimedia  Version 1.0  <Build 1>
> > >            Rules Object: misc  Version 1.0  <Build 1>
> > >            Rules Object: p2p  Version 1.0  <Build 1>
> > >            Rules Object: web-activex  Version 1.0  <Build 1>
> > >            Rules Object: chat  Version 1.0  <Build 1>
> > >            Rules Object: exploit  Version 1.0  <Build 1>
> > >            Rules Object: bad-traffic  Version 1.0  <Build 1>
> > >            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
> > >            Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
> > >            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
> > >            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
> > >            Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
> > >            Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
> > >            Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version
> 1.0
> > > <Build 1>
> > >            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
> > >
> > >
> > > So it is working. BUt I could not dump the files. And there is no error.
> > >
> > > Thanks.
> > >
> > > hdemir.
> > >
> > > Steven Sturges wrote:
> > > > Pretty sure you need an = between the option and the path, ie.
> > > > /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/
> > > > Husnu Demir wrote:
> > > > > Hi People,
> > > > >
> > > > >
> > > > > /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ command
> is not
> > > > > working properly.
> > > > >
> > > > > /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
> > > > > Running in Rule Dump mode
> > > > >
> > > > >         --== Initializing Snort ==--
> > > > > Initializing Output Plugins!
> > > > > Snort BPF option: /tmp
> > > > > ERROR: snort.c(5049) Please specify the directory path for dumping the
> dynamic rules
> > > > > Fatal Error, Quitting..
> > > > >
> > > > >
> > > > >
> > > > > When I try
> > > > >
> > > > > /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
> > > > > Running in Rule Dump mode
> > > > >
> > > > >         --== Initializing Snort ==--
> > > > > Initializing Output Plugins!
> > > > > Dumping dynamic rules...
> > > > >   Finished dumping dynamic rules.
> > > > > Snort exiting
> > > > >
> > > > > ls /tmp
> > > > > total 0
> > > > >
> > > > >
> > > > >
> > > > > My snort config ..
> > > > >
> > > > > snips..
> > > > > ..
> > > > >
> > > > > dynamicdetection directory
> /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
> > > > > ..
> > > > >
> > > > >
> > > > > uname -a
> > > > > Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009 x86_64
> GNU/Linux
> > > > > Also I used precompiled Ubuntu 8.04 rules.so.
> > > > >
> > > > >
> > > > > Thanks.
> > > > >
> > > > > hdemir.
> > > > >
> > > > > I used
> ------------------------------------------------------------------------
> > > >
> ------------------------------------------------------------------------------
> > > > This SF.Net email is sponsored by the Verizon Developer Community
> > > > Take advantage of Verizon's best-in-class app development support
> > > > A streamlined, 14 day to market process makes app distribution fast and
> easy
> > > > Join now and get one step closer to millions of Verizon customers
> > > > http://p.sf.net/sfu/verizon-dev2dev
> > >
> > > >
> ------------------------------------------------------------------------
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel () lists sourceforge net
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAksyI9MACgkQHgR50XBBy+kRawCeJH/KLZOwZpCO9Ya2kUvD/Vp6
> hUYAoMto8OKe1+hMTaE7ziCaRDuYhk3V
> =xuTy
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and
> easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel