Snort 2.9.3.1 so rules seems not working

["Paul Tsang" <paul.tsang () citictel-cpc com>]

Dear develop team,

 

I have install snort 2.9.3.1 with barnyard2 successfully. 

Here is my install snort: 

./configure 

make

make install

 

1.       When I only enable rule, using Nessus Scan, there are alert
(like: SQL union select - possible sql injection attempt - GET parameter.)

2.       When I only enable so rule, using Nessus Scan, there NO alert.

Bellowing is the step to enable so rule:

cp so_rules/precompiled/Centos-5-4/x86-64/2.9.3.1/*
/usr/local/lib/snort_dynamicrule

Change snort.conf 

2.1   Make sure the dynamic preprocessor and dynamic engine paths are

a.       dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor

b.      dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

        2.2  Make sure the path to the location of the shared object rules
is

c.       dynamicdetection directory /usr/local/lib/snort_dynamicrule

 

        2.3  Dump the stub rules by issuing the command:

d.      snort -c /usr/local/etc/snort/snort.conf
--dump-dynamic-rules=/usr/local/etc/snort/so_rules

 

        2.4. Dump the stub rules by issuing the command: (run ok)

 snort -c  /etc/snort/snort.conf --dump-dynamic-rules= /snort/so_rules

 

Attached with my snort configuration file. Please provide me the
suggestion, what is going on my so rule and provide the solution. Thanks!

 

Best regards, 

Paul Tsang 
Assistant Security Consultant

Security Services

CITIC Telecom International CPC Limited

20/F, Lincoln House, Taikoo Place, 979 King's Road, Quarry Bay, Hong Kong 
D: (852) 2170 2529   F: (852) 2795 1262

E:  <mailto:eric.chan () citictel-cpc com> paul.tsang () citictel-cpc com   W:
www.citictel-cpc.com 


Email Disclaimer
The information contained in this e-mail (and attachment(s)) is
confidential and is intended solely for the addressee.  If you are not the
intended recipient, please notify the sender immediately and delete this
e-mail from your system.  Any unauthorised use, disclosure, copying,
printing, forwarding or dissemination of or dealing with any part of this
information is prohibited.  CITIC Telecom International CPC Limited does
not bear any responsibility for the contents of any e-mail transmitted by
its staff for any reason other than bona fide business purposes.  Any
information that is not transmitted via secure, tamper-proof technology
should not be relied upon, unless advised or agreed otherwise in writing
by an authorised representative of the Company.  As information sent under
e-mail could be intercepted, corrupted, lost, destroyed, incomplete, or
could arrive late or contain viruses, the Company does not accept
liability or obligation for any errors or omissions in the contents of
this e-mail (and attachment(s)), which arise as result of email
transmission.  Where applicable, if the sender sends this e-mail as an
agent for a principal (disclosed or otherwise), all rights of such
principal regarding confidentiality, non-disclosure and privilege against
the recipient are hereby reserved.

Attachment: snort.conf.log
Description:

------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!