Snort mailing list archives

Re: Regarding dynamic (so_rules) rules

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 13 May 2011 08:00:28 -0400

That's usually an indicator that you are running the wrong version of Shared
Object rules.

Again, PulledPork will manage this for you.

On Fri, May 13, 2011 at 12:54 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>wrote:

Hi,
Thanks for pointing to PulledPork. I will look into it. I followed the
procedure listed in(
http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html)
and on running snort with dump-dynamic-rules I get a segmentation fault.
The /var/log/messages has the following entry
May 13 10:18:56 redbaronpc kernel: snort[3737]: segfault at
000000000000043c rip 0000003227a49ee6 rsp 00007fff773b6170 error 4
and the display shows following
Dumping dynamic rules...
  Finished dumping dynamic rules.
Segmentation fault

Regards,
Dheeraj


On Thu, May 12, 2011 at 5:26 PM, Joel Esler <jesler () sourcefire com> wrote:

There's a couple blog posts and snort.org I could point you to, but the
easiest way, really, to get Shared Object rules running (which is what you
are referring to below "dynamic", in this context) is to use pulledpork.

Pulledpork will download, compile, and generally take care of everything
you need for shared object rules to function.

J

On May 12, 2011, at 5:41 AM, Dheeraj Gupta wrote:

Hi,
I am sorry if this has been answered before, but I really couldn't find an
appropriate answer to a host pf troubles I am having.
I can't seem to trigger dynamic rules for my snort installation.
I configure snort with  ./configure –with-mysql --enable-zlib
--enable-decoder-preprocessor-rules

The snort.conf file has all include so_rules/ lines at the end
uncommented, so it should be picking up those rules.
I think I am missing something about the dynamic rules

Relevant Sections of snort.conf are
# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH /home/dheeraj/installs/snort-2.9.0.5/etc/rules
var SO_RULE_PATH /home/dheeraj/installs/snort-2.9.0.5/etc/so_rules
var PREPROC_RULE_PATH
/home/dheeraj/installs/snort-2.9.0.5/etc/preproc_rules

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules

I look into my /var/log/messages and see the following (relevant) entries

May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so...
May 12 14:46:58 redbaronpc snort[20793]: done
May 12 14:46:58 redbaronpc snort[20793]: Loading all dynamic detection
libs from /usr/local/lib/snort_dynamicrules...
May 12 14:46:58 redbaronpc snort[20793]: *Warning: No dynamic libraries
found in directory /usr/local/lib/snort_dynamicrules! *
May 12 14:46:58 redbaronpc snort[20793]:   Finished Loading all dynamic
detection libs from /usr/local/lib/snort_dynamicrules
May 12 14:46:58 redbaronpc snort[20793]: Loading all dynamic preprocessor
libs from /usr/local/lib/snort_dynamicpreprocessor/...
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
May 12 14:46:58 redbaronpc snort[20793]: done
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
May 12 14:46:58 redbaronpc snort[20793]: done
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
May 12 14:46:58 redbaronpc snort[20793]: done
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
May 12 14:46:58 redbaronpc snort[20793]: done
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so...
May 12 14:46:58 redbaronpc snort[20793]: done
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor
library
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
May 12 14:46:58 redbaronpc snort[20793]: done
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor
library /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
May 12 14:46:58 redbaronpc snort[20793]: done
May 12 14:46:58 redbaronpc snort[20793]:   Finished Loading all dynamic
preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/

May 12 14:46:59 redbaronpc snort[20793]:
+++++++++++++++++++++++++++++++++++++++++++++++++++
May 12 14:46:59 redbaronpc snort[20793]: Initializing rule chains...
May 12 14:47:00 redbaronpc snort[20793]: 5360 Snort rules read
May 12 14:47:00 redbaronpc snort[20793]:     5360 detection rules
May 12 14:47:00 redbaronpc snort[20793]:     0 decoder rules
May 12 14:47:00 redbaronpc snort[20793]:     0 preprocessor rules
May 12 14:47:00 redbaronpc snort[20793]: 5360 Option Chains linked into
479 Chain Headers
May 12 14:47:00 redbaronpc snort[20793]:* 0 Dynamic rules *
May 12 14:47:00 redbaronpc snort[20793]:
+++++++++++++++++++++++++++++++++++++++++++++++++++

May 12 14:47:01 redbaronpc snort[20793]: *Encoded Rule Plugin SID: 15210,
GID: 3 not registered properly.  Disabling this rule.  *
(The above message is repated about 700 times for different SIDs. COuld
someone also explain why this message comes?)

How do I remove No dynamic libraries found in directory
/usr/local/lib/snort_dynamicrules! warning? and get the dynamic rules t fire
on this installation



Regards,
Dheeraj


------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.

http://p.sf.net/sfu/intel-dev2devmay_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
To iterate is human.To recurse, divine!

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Regarding dynamic (so_rules) rules Dheeraj Gupta (May 12)
- Re: Regarding dynamic (so_rules) rules Joel Esler (May 12)
  - Re: Regarding dynamic (so_rules) rules John York (May 12)
    - Re: Regarding dynamic (so_rules) rules Joel Esler (May 12)
  - Re: Regarding dynamic (so_rules) rules Dheeraj Gupta (May 12)
    - Re: Regarding dynamic (so_rules) rules Joel Esler (May 13)