Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules updates and compile-time options

From: Joel Esler <jesler () sourcefire com>
Date: Sun, 29 Jan 2012 10:46:47 -0500
On Jan 13, 2012, at 5:43 PM, Ben Sansnom wrote:


Hi All

I have inherited a Snort system that is configured in a way quite foreign from what I've previously managed. It runs 
2.9.1, with Oinkmaster updating all on top of a Windows 2003 server (I'm stuck with the Oinkmaster and windows for 
the time being. This is the first time I've seen a windows Snort config). 

I'm trying to untangle why the rules updating is erratic. RULE_PATH = x:\snort\rules. Oinkmaster successfully 
retrieves the file, and writes and uncompresses correctly in the TMP directory. However, within the /rules directory, 
only a handful of rules are actually landing in there and the rest are never updated. The first line of all of the 
handful of updated files contain the string "# Autogenerated skeleton rules file.  Do NOT edit by hand". Those rule 
files plus many others in the rule directory contain significantly few signatures compared to what I see when 
manually using the oinkcode to fetch the VRT tarball. However, a number of the rules (that are not updating) do begin 
with the typical:
"# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") etc"

The updating has succeeded on these handful of files in timeframes ranging from a couple of days to a couple of 
weeks. But each time it does work, it always generates a file with the "#Autogenerated" string.

To me, it looks like the system is configured for shared-objects. However, nothing in the snort.conf references that 
(all the dynamic library rules are commented out) and there is no so_rules directory on the server at all. 

Is the assumption that shared-objects are in play correct? Is the "#Autogenerated" string an indication that shared 
objects are in use? If that assumption is correct, how can I confirm that snort was compiled to use SO? Is something 
else going on here?


You can't use shared object rules on Windows.  We don't provide a compile for them.



I'm happy to manually copy in all the rules files and simply restart the service, but I want to understand what is 
going on. 




------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: