Re: Error running snort

[AllowOverride <allowoverride () gmail com>]

my so_rules complained. they are not in the config. i can see there is a
reason for them. in the past is not today, and there is no 10.04
so_rules i can see/find/gather.

ill read in time, just got stuck with a bunch of little things, some my
fault. i fixed most of it. its working, still trying to figure out base
issue, i hesitate to say bug now.

im looking at vbox guest iso of seconion, seems pretty bloated, runs
slow even set with 3.5 gigs of mem on the host dedicated to it.
however, i plan to look more into /etc/nsm.

thats all for now... thanks every for your help. i muddle through some
docs in my spare time.

l8

On Wed, 2012-10-10 at 16:08 -0600, Jefferson, Shawn wrote:
> Hi,
>
> Compiled rules (so_rules) are covered in the manuals and blogs in some depth, however, since I know you don't like to 
> RTFM ;) (actually I *do* suggest you go to the snort blog and VRT blog and lookup posts about so_rules and read them 
> in your spare time...), basically they are pre-compiled rules that either require more processing than text rules 
> require, or there is some reason to obscure what the rule is looking for (due to NDAs that SourceFire has with 
> vendors, or hide things from badguys, etc...)  That's my understanding of so_rules.
>
> I would suggest that you get snort and the rest of the tool chain working first before diving into so_rules.  Pulled 
> pork will handle so_rules as well... you just need to specify the right distro/bit-ness.  In the past I've had 
> success using Ubuntu so_rules for not *quite* the same revision, but you'd need to test that.
>
> It's easy to tell if it's not working, since snort segfaults (or complains at startup sometimes) if you have the 
> wrong so_rules.  Sometimes (I've seen this in the past, maybe it doesn't do this anymore) it doesn't segfault until 
> you get a packet that tries to hit the so_rule... but the rest of the time it runs happily.
>
>
>
> -----Original Message-----
> From: AllowOverride [mailto:allowoverride () gmail com] 
> Sent: Wednesday, October 10, 2012 2:58 PM
> To: Jefferson, Shawn
> Cc: 'fashman2k1 () yahoo com'; 'snort-users () lists sourceforge net'
> Subject: Re: [Snort-users] Error running snort
>
> this leads to another issue, so_rules, i did not see ubuntu 12.04 listed, only up to 12.04. is there a updated 
> precompiled rule set for
> 12.04 coming soon, not that i know what they are for, i figure packets being analyzed should matter what distro it is 
> coming for?
>
> i assume the precompiled rules are for base services included in each linux different distro, thus the need to 
> specify them in the first place. 
>
> dont answer that, i will figure it out, just thinking out loud..
>
>
> On Wed, 2012-10-10 at 14:27 -0600, Jefferson, Shawn wrote:
> > You have the wrong version of so rules for your distro/os.
> >
> >
> >
> > ----- Original Message -----
> > From: Akinwale Fasuru <fashman2k1 () yahoo com>
> > To: snort-users () lists sourceforge net 
> > <snort-users () lists sourceforge net>
> > Sent: Wed Oct 10 12:47:43 2012
> > Subject: [Snort-users] Error running snort
> >
> > Pls i encountered this erro when tring to run snort # snort -c 
> > /etc/snort/snort.conf
> >  
> > ERROR: Failed to load /usr/local/lib/snort_dynamicrules/netbios.so: 
> > /usr/local/lib/snort_dynamicrules/netbios.so: wrong ELF class: 
> > ELFCLASS32
> >
> > What can i do?
> >
> > Wale
> >
> > ----------------------------------------------------------------------
> > -------- Don't let slow site performance ruin your business. Deploy 
> > New Relic APM Deploy New Relic app performance management and know 
> > exactly what is happening inside your Ruby, Python, PHP, Java, and 
> > .NET app Try New Relic at no cost today and get our sweet Data Nerd 
> > shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > ----------------------------------------------------------------------
> > -------- Don't let slow site performance ruin your business. Deploy 
> > New Relic APM Deploy New Relic app performance management and know 
> > exactly what is happening inside your Ruby, Python, PHP, Java, and 
> > .NET app Try New Relic at no cost today and get our sweet Data Nerd 
> > shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!