Snort mailing list archives
Re: Snort not loading dynamic rules?
From: Seth Art <sethsec () gmail com>
Date: Fri, 12 Feb 2010 12:03:17 -0500
How about a feature request to show in that same output how many shared object rules are running? Right after the "preprocessor rules" would be a good place I think. When I first tested with so_rules last year I remember having similar confusion. I ended up doing exactly what Joel recommended here to confirm that they were in fact loaded. -Seth On Thu, Feb 11, 2010 at 11:09 AM, Ryan Jordan <ryan.jordan () sourcefire com> wrote:
I believe Dynamic rules have largely been replaced by rules with Flowbits. On Wed, Feb 10, 2010 at 5:23 PM, Joel Esler <jesler () sourcefire com> wrote:I think you pasted the same thing twice. Dynamic rules, as listed below, are the "Activate/Dynamic" rules. not the SO rules. Therefore, if you don't have Dynamic rules, it will always read 0. VRT ships zero Dynamic rules. So, if you are running the VRT ruleset, you will have 0 there. Matter of fact, I don't think anyone ships dynamic rules. I don't know anyone that uses them. (Not saying there isn't, I've just never ran across them) J On Feb 10, 2010, at 5:01 PM, Andy Berryman wrote: Commented out the so.rules and it worked for that. Feb 10 21:25:44 (none) snort[28150]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Feb 10 21:25:44 (none) snort[28150]: Initializing rule chains... Feb 10 21:26:00 (none) snort[28150]: 5660 Snort rules read Feb 10 21:26:00 (none) snort[28150]: 5418 detection rules Feb 10 21:26:00 (none) snort[28150]: 65 decoder rules Feb 10 21:26:00 (none) snort[28150]: 177 preprocessor rules Feb 10 21:26:00 (none) snort[28150]: 5660 Option Chains linked into 595 Chain Headers Feb 10 21:26:00 (none) snort[28150]: 0 Dynamic rules Feb 10 21:26:00 (none) snort[28150]: +++++++++++++++++++ Commented back in: Feb 10 21:25:44 (none) snort[28150]: +++++++++++++++++++++++++++++++++++++++++++++++++++ Feb 10 21:25:44 (none) snort[28150]: Initializing rule chains... Feb 10 21:26:00 (none) snort[28150]: 5660 Snort rules read Feb 10 21:26:00 (none) snort[28150]: 5418 detection rules Feb 10 21:26:00 (none) snort[28150]: 65 decoder rules Feb 10 21:26:00 (none) snort[28150]: 177 preprocessor rules Feb 10 21:26:00 (none) snort[28150]: 5660 Option Chains linked into 595 Chain Headers Feb 10 21:26:00 (none) snort[28150]: 0 Dynamic rules Feb 10 21:26:00 (none) snort[28150]: +++++++++++++++++++ So, what you're getting at is the Dynamic rules will always show zero. Is there a real way to tell if they were loaded? Or is that what commenting out the stub rules(so_rules) does? Andy From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, February 10, 2010 3:19 PM To: Andy Berryman Cc: snort-users () lists sourceforge net List Subject: Re: [Snort-users] Snort not loading dynamic rules? Andy, Just talked to someone in dev. The "Dynamic Rules" are the 'activate/dynamic' kind. Which are not the Shared Object kind. But to your below point, comment out the stub rules in your snort.conf. The lines you have that use "SORULE_PATH" J ________________________________ This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ________________________________ -- Joel Esler 302-223-5974 ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort not loading dynamic rules? Andy Berryman (Feb 10)
- Re: Snort not loading dynamic rules? Joel Esler (Feb 10)
- Message not available
- Re: Snort not loading dynamic rules? Joel Esler (Feb 10)
- Re: Snort not loading dynamic rules? Andy Berryman (Feb 10)
- Re: Snort not loading dynamic rules? Joel Esler (Feb 10)
- Re: Snort not loading dynamic rules? Andy Berryman (Feb 10)
- Re: Snort not loading dynamic rules? Ryan Jordan (Feb 11)
- Re: Snort not loading dynamic rules? Seth Art (Feb 12)
- Message not available
- Re: Snort not loading dynamic rules? Joel Esler (Feb 10)