Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rules updates and compile-time options

From: Ben Sansnom <bensansnom () gmail com>
Date: Fri, 13 Jan 2012 15:43:36 -0700
Hi All

I have inherited a Snort system that is configured in a way quite foreign
from what I've previously managed. It runs 2.9.1, with Oinkmaster updating
all on top of a Windows 2003 server (I'm stuck with the Oinkmaster and
windows for the time being. This is the first time I've seen a windows
Snort config).

I'm trying to untangle why the rules updating is erratic. RULE_PATH =
x:\snort\rules. Oinkmaster successfully retrieves the file, and writes and
uncompresses correctly in the TMP directory. However, within the /rules
directory, only a handful of rules are actually landing in there and the
rest are never updated. The first line of all of the handful of updated
files contain the string "# Autogenerated skeleton rules file.  Do NOT edit
by hand". Those rule files plus many others in the rule directory contain
significantly few signatures compared to what I see when manually using the
oinkcode to fetch the VRT tarball. However, a number of the rules (that are
not updating) do begin with the typical:
"# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") etc"

The updating has succeeded on these handful of files in timeframes ranging
from a couple of days to a couple of weeks. But each time it does work, it
always generates a file with the "#Autogenerated" string.

To me, it looks like the system is configured for shared-objects. However,
nothing in the snort.conf references that (all the dynamic library rules
are commented out) and there is no so_rules directory on the server at all.

Is the assumption that shared-objects are in play correct? Is the
"#Autogenerated" string an indication that shared objects are in use? If
that assumption is correct, how can I confirm that snort was compiled to
use SO? Is something else going on here?

I'm happy to manually copy in all the rules files and simply restart the
service, but I want to understand what is going on.

Thanks,

Ben

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: