Snort mailing list archives

Re: Unable to create stub so rules files

From: "C. L. Martinez" <carlopmart () gmail com>
Date: Tue, 27 Nov 2012 16:04:43 +0000

On Tue, Nov 27, 2012 at 3:49 PM, Peter Bates <peter.bates () ucl ac uk> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 27/11/2012 15:43, C. L. Martinez wrote:

On Tue, Nov 27, 2012 at 3:29 PM, Peter Bates <peter.bates () ucl ac uk> wrote:
var CONF_PATH /data/config/etc/idpsnort01
dynamicdetection directory $CONF_PATH/dynamicrules


Can you try and set the absolute path and not use the variable?

i.e.

dynamicdetection directory /data/config/etc/idpsnort01/dynamicrules

Just to see if the -T reads the directory or not?


/usr/local/bin/snort -c /data/config/etc/idpsnort01/snort.conf -i em5
-l /nsm/sensor_data/idpsnort01 -T

Running in Test mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/data/config/etc/idpsnort01/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 383 591 593 901 1220 1414
1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777
7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180:8181 8243 8280
8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371 50002
55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 383 591 593
901 1220 1414 1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001
7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123
8180:8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443
9999 11371 50002 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20

........................

  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so...
done
  Loading dynamic preprocessor library
/opt/snort/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so...
done
  Finished Loading all dynamic preprocessor libs from
/opt/snort/lib/snort_dynamicpreprocessor/
Log directory = /nsm/sensor_data/idpsnort01

..................................

  packet action   : fastpath-expensive-packets
  packet logging  : log
  debug-pkts      : disabled
pcap DAQ configured to passive.
Acquiring network traffic from "em5".

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40) FreeBSD
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.3.0
           Using PCRE version: 8.31 2012-07-06
           Using ZLIB version: 1.2.7

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.16  <Build 18>
           Rules Object: nntp  Version 1.0  <Build 1>
           Rules Object: imap  Version 1.0  <Build 1>
           Rules Object: p2p  Version 1.0  <Build 1>
           Rules Object: snmp  Version 1.0  <Build 1>
           Rules Object: netbios  Version 1.0  <Build 1>
           Rules Object: web-misc  Version 1.0  <Build 1>
           Rules Object: misc  Version 1.0  <Build 1>
           Rules Object: exploit  Version 1.0  <Build 1>
           Rules Object: bad-traffic  Version 1.0  <Build 1>
           Rules Object: smtp  Version 1.0  <Build 1>
           Rules Object: multimedia  Version 1.0  <Build 1>
           Rules Object: specific-threats  Version 1.0  <Build 1>
           Rules Object: chat  Version 1.0  <Build 1>
           Rules Object: icmp  Version 1.0  <Build 1>
           Rules Object: web-client  Version 1.0  <Build 1>
           Rules Object: web-activex  Version 1.0  <Build 1>
           Rules Object: web-iis  Version 1.0  <Build 1>
           Rules Object: dos  Version 1.0  <Build 1>
           Preprocessor Object: SF_DNP3 (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_MODBUS (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_GTP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build 3>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_POP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build 13>

Snort successfully validated the configuration!
Snort exiting

According to this, shared objects are loaded ...

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Unable to create stub so rules files, (continued)
- Re: Unable to create stub so rules files Peter Bates (Nov 27)
  - Message not available
    - Re: Unable to create stub so rules files C. L. Martinez (Nov 27)
    - Re: Unable to create stub so rules files Peter Bates (Nov 27)
    - Re: Unable to create stub so rules files Peter Bates (Nov 27)
    - Re: Unable to create stub so rules files C. L. Martinez (Nov 27)
    - Re: Unable to create stub so rules files Peter Bates (Nov 27)
    - Re: Unable to create stub so rules files C. L. Martinez (Nov 27)
    - Re: Unable to create stub so rules files Peter Bates (Nov 27)
    - Re: Unable to create stub so rules files C. L. Martinez (Nov 27)
    - Re: Unable to create stub so rules files Peter Bates (Nov 27)
    - Re: Unable to create stub so rules files C. L. Martinez (Nov 27)
    - Re: Unable to create stub so rules files Peter Bates (Nov 27)
    - Re: Unable to create stub so rules files C. L. Martinez (Nov 27)
    - Re: Unable to create stub so rules files Peter Bates (Nov 28)
    - Re: Unable to create stub so rules files C. L. Martinez (Nov 28)
- Re: Unable to create stub so rules files waldo kitty (Nov 27)