Snort mailing list archives
Re: Error running snort
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 10 Oct 2012 16:08:35 -0600
Hi, Compiled rules (so_rules) are covered in the manuals and blogs in some depth, however, since I know you don't like to RTFM ;) (actually I *do* suggest you go to the snort blog and VRT blog and lookup posts about so_rules and read them in your spare time...), basically they are pre-compiled rules that either require more processing than text rules require, or there is some reason to obscure what the rule is looking for (due to NDAs that SourceFire has with vendors, or hide things from badguys, etc...) That's my understanding of so_rules. I would suggest that you get snort and the rest of the tool chain working first before diving into so_rules. Pulled pork will handle so_rules as well... you just need to specify the right distro/bit-ness. In the past I've had success using Ubuntu so_rules for not *quite* the same revision, but you'd need to test that. It's easy to tell if it's not working, since snort segfaults (or complains at startup sometimes) if you have the wrong so_rules. Sometimes (I've seen this in the past, maybe it doesn't do this anymore) it doesn't segfault until you get a packet that tries to hit the so_rule... but the rest of the time it runs happily. -----Original Message----- From: AllowOverride [mailto:allowoverride () gmail com] Sent: Wednesday, October 10, 2012 2:58 PM To: Jefferson, Shawn Cc: 'fashman2k1 () yahoo com'; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Error running snort this leads to another issue, so_rules, i did not see ubuntu 12.04 listed, only up to 12.04. is there a updated precompiled rule set for 12.04 coming soon, not that i know what they are for, i figure packets being analyzed should matter what distro it is coming for? i assume the precompiled rules are for base services included in each linux different distro, thus the need to specify them in the first place. dont answer that, i will figure it out, just thinking out loud.. On Wed, 2012-10-10 at 14:27 -0600, Jefferson, Shawn wrote:
You have the wrong version of so rules for your distro/os. ----- Original Message ----- From: Akinwale Fasuru <fashman2k1 () yahoo com> To: snort-users () lists sourceforge net <snort-users () lists sourceforge net> Sent: Wed Oct 10 12:47:43 2012 Subject: [Snort-users] Error running snort Pls i encountered this erro when tring to run snort # snort -c /etc/snort/snort.conf ERROR: Failed to load /usr/local/lib/snort_dynamicrules/netbios.so: /usr/local/lib/snort_dynamicrules/netbios.so: wrong ELF class: ELFCLASS32 What can i do? Wale ---------------------------------------------------------------------- -------- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------------------------------------------------------------------- -------- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Error running snort Akinwale Fasuru (Oct 10)
- Re: Error running snort Paul Schmehl (Oct 10)
- Re: Error running snort AllowOverride (Oct 10)
- <Possible follow-ups>
- Re: Error running snort Jefferson, Shawn (Oct 10)
- Re: Error running snort AllowOverride (Oct 10)
- Re: Error running snort Jefferson, Shawn (Oct 10)
- Re: Error running snort AllowOverride (Oct 11)
- Re: Error running snort Doug Burks (Oct 11)
- Re: Error running snort AllowOverride (Oct 11)
- Re: Error running snort Joel Esler (Oct 11)
- Re: Error running snort AllowOverride (Oct 11)
- Re: Error running snort Peter Bates (Oct 11)
- Re: Error running snort AllowOverride (Oct 10)
- Re: Error running snort Paul Schmehl (Oct 10)
- Re: Error running snort Joel Esler (Oct 10)
- Re: Error running snort waldo kitty (Oct 10)
- Re: Error running snort AllowOverride (Oct 11)