Re: ERROR: dynamic detection lib is compiled with an older version of the dynamic engine

[waldo kitty <wkitty42 () windstream net>]

On 8/18/2013 00:00, Mike H wrote:
> Thanks for the response Waldo, that did the trick! I delete the rules and Snort
> runs fine. Seems so obvious now--files not compatible==>delete files :)

pretty much... and the reasoning is twofold...

   1. to remove incompatible files
   2. to remove possibly corrupted files that can be replaced

now, something else is that i did get slightly confused... i was thinking of the 
engine, reading "the rules" in your post but i was looking at the 
preprocessors... in our past, we've had the situation where an update didn't 
remove older libraries and that caused snort to fall over... the solution there 
was to remove the libraries and reinstall snort to put only the new libraries it 
needed in place... the SO rules are basically libraries... SO means shared 
object which is basically the same thing as a dll (dynamic linked library) in 
the winwhatever world...

but, removing those incompatible rules is the answer because when you do locate 
the proper ones, they may not have the same names or all of them may not be used 
so older ones would be left behind...

> According to your post this also puts the "newer and proper SO files back in
> place". I believe you are implying (or at least I am inferring) that the latest
> ruleset comes prepackaged with snort (where are those SO files?). Ok, makes
> sense--but the user still needs to update the rules at some point.

no... there are no rules distributed /with/ snort... we must also note that 
there is a difference between the rules and the engine... look closely at your 
error and you'll see that it references both the engine and the rule...

to be more specific, it is telling you that you are trying to run a SO rule that 
is compiled for dynamic engine 1.0 but your snort is running dynamic engine 
2.1... 1.0 != 2.1 so they are incompatible...

> So, if I am reading that right it means that I can't just go out to
> http://www.snort.org/snort-rules/, grab the latest "Registered User" rules and
> install them? That seems odd, am I missing something?

they have to be the ones for your version of snort... for example, you can't use 
the 2.9.5.3 rules with 2.9.5.0... especially the SO rules and even more 
especially if the SO engine(s) have changed...

> The Snort install instructions explicitly point you to download and install the
> latest rules, like so:
>
> /sudo tar zxvf snortrules-snapshot-2950.tar.gz -C /usr/local/snort/
> /sudo mkdir /usr/local/snort/lib/snort_dynamicrules/
> /sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.5.0/* \/
> //usr/local/snort/lib/snort_dynamicrules/
> /sudo touch /usr/local/snort/rules/white_list.rules/
> /sudo touch /usr/local/snort/rules/black_list.rules/
> /sudo ldconfig/

1. where do you find these instructions?
2. what version of snort are you running? snort -V
3. what specific linux are you running? is it really ubuntu 10.4?

> But that just takes me back to the same compatibility error below. I'm sure I am
> screwing something up here, just not sure what. Any thoughts on how I can get
> the latest rules from the website loaded?

i don't think it is you but there is some miscommunication somewhere ;)

> I was hoping to understand how to do this manually, then move on to installing
> Pulled Pork. Appreciate the help!

not a problem... we'll get ya sorted out before too long :)

>  > Date: Sat, 17 Aug 2013 20:48:34 -0400
>  > From: wkitty42 () windstream net
>  > To: snort-users () lists sourceforge net
>  > Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled with an
> older version of the dynamic engine
>  >
>  > On 8/17/2013 13:38, Michael Heard wrote:
>  > > ERROR: Dynamic detection lib
> /usr/local/snort/lib/snort_dynamicrules/nntp.so 1.0
>  > > isn't compatible with the current dynamic engine library
>  > > /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so 2.1.
>  > > The dynamic detection lib is compiled with an older version of the dynamic
> engine.
>  > > Fatal Error, Quitting../
>  > >
>  > > The error seems to indicate that I need a newer dynamic rule set that is
>  > > compatible with the dynamicengine I am running.
>  >
>  > it is not just the rules set that must be compatible but also the shared so
>  > dynamic engine files... shut down your snort, and remove the SO files in your
>  > /usr/local/snort/lib/snort_dynamicengine/ directory... then reinstall snort to
>  > put the newer and proper SO files back in place... then restart your snort and
>  > you should be good to go... that is if i have grabbed the proper directory from
>  > your post where the problem lies...



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!