Snort mailing list archives
Re: Error running snort
From: AllowOverride <allowoverride () gmail com>
Date: Thu, 11 Oct 2012 12:37:56 -0700
Hi joel, i see 12.04 i386/x86-64, cool. just wondering where they are listed by directory in so_rules. ill look for them. i mentioned before, as the so_rules i downloaded they were not higher than 10.04...odd.. ill keep looking. thanks On Thu, 2012-10-11 at 07:19 -0400, Joel Esler wrote:
Platforms supported: https://www.snort.org/snort-rules/shared-object-rules -- Joel Esler Sent from my iPad On Oct 11, 2012, at 3:40 AM, AllowOverride <allowoverride () gmail com> wrote:my so_rules complained. they are not in the config. i can see there is a reason for them. in the past is not today, and there is no 10.04 so_rules i can see/find/gather. ill read in time, just got stuck with a bunch of little things, some my fault. i fixed most of it. its working, still trying to figure out base issue, i hesitate to say bug now. im looking at vbox guest iso of seconion, seems pretty bloated, runs slow even set with 3.5 gigs of mem on the host dedicated to it. however, i plan to look more into /etc/nsm. thats all for now... thanks every for your help. i muddle through some docs in my spare time. l8 On Wed, 2012-10-10 at 16:08 -0600, Jefferson, Shawn wrote:Hi, Compiled rules (so_rules) are covered in the manuals and blogs in some depth, however, since I know you don't like to RTFM ;) (actually I *do* suggest you go to the snort blog and VRT blog and lookup posts about so_rules and read them in your spare time...), basically they are pre-compiled rules that either require more processing than text rules require, or there is some reason to obscure what the rule is looking for (due to NDAs that SourceFire has with vendors, or hide things from badguys, etc...) That's my understanding of so_rules. I would suggest that you get snort and the rest of the tool chain working first before diving into so_rules. Pulled pork will handle so_rules as well... you just need to specify the right distro/bit-ness. In the past I've had success using Ubuntu so_rules for not *quite* the same revision, but you'd need to test that. It's easy to tell if it's not working, since snort segfaults (or complains at startup sometimes) if you have the wrong so_rules. Sometimes (I've seen this in the past, maybe it doesn't do this anymore) it doesn't segfault until you get a packet that tries to hit the so_rule... but the rest of the time it runs happily. -----Original Message----- From: AllowOverride [mailto:allowoverride () gmail com] Sent: Wednesday, October 10, 2012 2:58 PM To: Jefferson, Shawn Cc: 'fashman2k1 () yahoo com'; 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] Error running snort this leads to another issue, so_rules, i did not see ubuntu 12.04 listed, only up to 12.04. is there a updated precompiled rule set for 12.04 coming soon, not that i know what they are for, i figure packets being analyzed should matter what distro it is coming for? i assume the precompiled rules are for base services included in each linux different distro, thus the need to specify them in the first place. dont answer that, i will figure it out, just thinking out loud.. On Wed, 2012-10-10 at 14:27 -0600, Jefferson, Shawn wrote:You have the wrong version of so rules for your distro/os. ----- Original Message ----- From: Akinwale Fasuru <fashman2k1 () yahoo com> To: snort-users () lists sourceforge net <snort-users () lists sourceforge net> Sent: Wed Oct 10 12:47:43 2012 Subject: [Snort-users] Error running snort Pls i encountered this erro when tring to run snort # snort -c /etc/snort/snort.conf ERROR: Failed to load /usr/local/lib/snort_dynamicrules/netbios.so: /usr/local/lib/snort_dynamicrules/netbios.so: wrong ELF class: ELFCLASS32 What can i do? Wale ---------------------------------------------------------------------- -------- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------------------------------------------------------------------- -------- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Error running snort Akinwale Fasuru (Oct 10)
- Re: Error running snort Paul Schmehl (Oct 10)
- Re: Error running snort AllowOverride (Oct 10)
- <Possible follow-ups>
- Re: Error running snort Jefferson, Shawn (Oct 10)
- Re: Error running snort AllowOverride (Oct 10)
- Re: Error running snort Jefferson, Shawn (Oct 10)
- Re: Error running snort AllowOverride (Oct 11)
- Re: Error running snort Doug Burks (Oct 11)
- Re: Error running snort AllowOverride (Oct 11)
- Re: Error running snort Joel Esler (Oct 11)
- Re: Error running snort AllowOverride (Oct 11)
- Re: Error running snort Peter Bates (Oct 11)
- Re: Error running snort AllowOverride (Oct 10)
- Re: Error running snort Paul Schmehl (Oct 10)
- Re: Error running snort Joel Esler (Oct 10)
- Re: Error running snort waldo kitty (Oct 10)
- Re: Error running snort AllowOverride (Oct 11)