Snort mailing list archives
Regarding dynamic (so_rules) rules
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Thu, 12 May 2011 15:11:56 +0530
Hi, I am sorry if this has been answered before, but I really couldn't find an appropriate answer to a host pf troubles I am having. I can't seem to trigger dynamic rules for my snort installation. I configure snort with ./configure –with-mysql --enable-zlib --enable-decoder-preprocessor-rules The snort.conf file has all include so_rules/ lines at the end uncommented, so it should be picking up those rules. I think I am missing something about the dynamic rules Relevant Sections of snort.conf are # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH /home/dheeraj/installs/snort-2.9.0.5/etc/rules var SO_RULE_PATH /home/dheeraj/installs/snort-2.9.0.5/etc/so_rules var PREPROC_RULE_PATH /home/dheeraj/installs/snort-2.9.0.5/etc/preproc_rules # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # path to dynamic rules libraries dynamicdetection directory /usr/local/lib/snort_dynamicrules I look into my /var/log/messages and see the following (relevant) entries May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... May 12 14:46:58 redbaronpc snort[20793]: done May 12 14:46:58 redbaronpc snort[20793]: Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... May 12 14:46:58 redbaronpc snort[20793]: *Warning: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules! * May 12 14:46:58 redbaronpc snort[20793]: Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules May 12 14:46:58 redbaronpc snort[20793]: Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... May 12 14:46:58 redbaronpc snort[20793]: done May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... May 12 14:46:58 redbaronpc snort[20793]: done May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... May 12 14:46:58 redbaronpc snort[20793]: done May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... May 12 14:46:58 redbaronpc snort[20793]: done May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... May 12 14:46:58 redbaronpc snort[20793]: done May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... May 12 14:46:58 redbaronpc snort[20793]: done May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... May 12 14:46:58 redbaronpc snort[20793]: done May 12 14:46:58 redbaronpc snort[20793]: Finished Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/ May 12 14:46:59 redbaronpc snort[20793]: +++++++++++++++++++++++++++++++++++++++++++++++++++ May 12 14:46:59 redbaronpc snort[20793]: Initializing rule chains... May 12 14:47:00 redbaronpc snort[20793]: 5360 Snort rules read May 12 14:47:00 redbaronpc snort[20793]: 5360 detection rules May 12 14:47:00 redbaronpc snort[20793]: 0 decoder rules May 12 14:47:00 redbaronpc snort[20793]: 0 preprocessor rules May 12 14:47:00 redbaronpc snort[20793]: 5360 Option Chains linked into 479 Chain Headers May 12 14:47:00 redbaronpc snort[20793]:* 0 Dynamic rules * May 12 14:47:00 redbaronpc snort[20793]: +++++++++++++++++++++++++++++++++++++++++++++++++++ May 12 14:47:01 redbaronpc snort[20793]: *Encoded Rule Plugin SID: 15210, GID: 3 not registered properly. Disabling this rule. * (The above message is repated about 700 times for different SIDs. COuld someone also explain why this message comes?) How do I remove No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules! warning? and get the dynamic rules t fire on this installation Regards, Dheeraj
------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Regarding dynamic (so_rules) rules Dheeraj Gupta (May 12)
- Re: Regarding dynamic (so_rules) rules Joel Esler (May 12)
- Re: Regarding dynamic (so_rules) rules John York (May 12)
- Re: Regarding dynamic (so_rules) rules Joel Esler (May 12)
- Re: Regarding dynamic (so_rules) rules Dheeraj Gupta (May 12)
- Re: Regarding dynamic (so_rules) rules Joel Esler (May 13)
- Re: Regarding dynamic (so_rules) rules John York (May 12)
- Re: Regarding dynamic (so_rules) rules Joel Esler (May 12)