Re: Error running snort

[AllowOverride <allowoverride () gmail com>]

Hi joel, i see 12.04 i386/x86-64, cool. just wondering where they are
listed by directory in so_rules. ill look for them. i mentioned before,
as the so_rules i downloaded they were not higher than 10.04...odd..

ill keep looking. thanks

On Thu, 2012-10-11 at 07:19 -0400, Joel Esler wrote:
> Platforms supported:
>
>
> https://www.snort.org/snort-rules/shared-object-rules
>
> --
> Joel Esler
> Sent from my iPad 
>
> On Oct 11, 2012, at 3:40 AM, AllowOverride <allowoverride () gmail com>
> wrote:
>
>
> > my so_rules complained. they are not in the config. i can see there
> > is a
> > reason for them. in the past is not today, and there is no 10.04
> > so_rules i can see/find/gather.
> >
> > ill read in time, just got stuck with a bunch of little things, some
> > my
> > fault. i fixed most of it. its working, still trying to figure out
> > base
> > issue, i hesitate to say bug now.
> >
> > im looking at vbox guest iso of seconion, seems pretty bloated, runs
> > slow even set with 3.5 gigs of mem on the host dedicated to it.
> > however, i plan to look more into /etc/nsm.
> >
> > thats all for now... thanks every for your help. i muddle through
> > some
> > docs in my spare time.
> >
> > l8
> >
> > On Wed, 2012-10-10 at 16:08 -0600, Jefferson, Shawn wrote:
> > > Hi,
> > >
> > > Compiled rules (so_rules) are covered in the manuals and blogs in
> > > some depth, however, since I know you don't like to RTFM ;)
> > > (actually I *do* suggest you go to the snort blog and VRT blog and
> > > lookup posts about so_rules and read them in your spare time...),
> > > basically they are pre-compiled rules that either require more
> > > processing than text rules require, or there is some reason to
> > > obscure what the rule is looking for (due to NDAs that SourceFire
> > > has with vendors, or hide things from badguys, etc...)  That's my
> > > understanding of so_rules.
> > >
> > > I would suggest that you get snort and the rest of the tool chain
> > > working first before diving into so_rules.  Pulled pork will
> > > handle so_rules as well... you just need to specify the right
> > > distro/bit-ness.  In the past I've had success using Ubuntu
> > > so_rules for not *quite* the same revision, but you'd need to test
> > > that.
> > >
> > > It's easy to tell if it's not working, since snort segfaults (or
> > > complains at startup sometimes) if you have the wrong so_rules.
> > >  Sometimes (I've seen this in the past, maybe it doesn't do this
> > > anymore) it doesn't segfault until you get a packet that tries to
> > > hit the so_rule... but the rest of the time it runs happily.
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: AllowOverride [mailto:allowoverride () gmail com] 
> > > Sent: Wednesday, October 10, 2012 2:58 PM
> > > To: Jefferson, Shawn
> > > Cc: 'fashman2k1 () yahoo com'; 'snort-users () lists sourceforge net'
> > > Subject: Re: [Snort-users] Error running snort
> > >
> > > this leads to another issue, so_rules, i did not see ubuntu 12.04
> > > listed, only up to 12.04. is there a updated precompiled rule set
> > > for
> > > 12.04 coming soon, not that i know what they are for, i figure
> > > packets being analyzed should matter what distro it is coming for?
> > >
> > > i assume the precompiled rules are for base services included in
> > > each linux different distro, thus the need to specify them in the
> > > first place. 
> > >
> > > dont answer that, i will figure it out, just thinking out loud..
> > >
> > >
> > > On Wed, 2012-10-10 at 14:27 -0600, Jefferson, Shawn wrote:
> > > > You have the wrong version of so rules for your distro/os.
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: Akinwale Fasuru <fashman2k1 () yahoo com>
> > > > To: snort-users () lists sourceforge net 
> > > > <snort-users () lists sourceforge net>
> > > > Sent: Wed Oct 10 12:47:43 2012
> > > > Subject: [Snort-users] Error running snort
> > > >
> > > > Pls i encountered this erro when tring to run snort # snort -c 
> > > > /etc/snort/snort.conf
> > > >
> > > > ERROR: Failed to
> > > > load /usr/local/lib/snort_dynamicrules/netbios.so: 
> > > > /usr/local/lib/snort_dynamicrules/netbios.so: wrong ELF class: 
> > > > ELFCLASS32
> > > >
> > > > What can i do?
> > > >
> > > > Wale
> > > >
> > > > ----------------------------------------------------------------------
> > > > -------- Don't let slow site performance ruin your business.
> > > > Deploy 
> > > > New Relic APM Deploy New Relic app performance management and
> > > > know 
> > > > exactly what is happening inside your Ruby, Python, PHP, Java,
> > > > and 
> > > > .NET app Try New Relic at no cost today and get our sweet Data
> > > > Nerd 
> > > > shirt too!
> > > > http://p.sf.net/sfu/newrelic-dev2dev
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the
> > > > latest Snort news!
> > > > ----------------------------------------------------------------------
> > > > -------- Don't let slow site performance ruin your business.
> > > > Deploy 
> > > > New Relic APM Deploy New Relic app performance management and
> > > > know 
> > > > exactly what is happening inside your Ruby, Python, PHP, Java,
> > > > and 
> > > > .NET app Try New Relic at no cost today and get our sweet Data
> > > > Nerd 
> > > > shirt too!
> > > > http://p.sf.net/sfu/newrelic-dev2dev
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the
> > > > latest Snort news!
> >
> >
> > ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic
> > APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt
> > too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!