Re: ERROR: dynamic detection lib is compiled with an older version of the dynamic engine

[Mike H <mizelhike () hotmail com>]

Thanks.  Semi-long post, but the summary is that your email states that I have to wait get 2953, which are not 
available to "Registered Users" yet (VRT only, http://www.snort.org/snort-rules/).  So I am stuck waiting until that is 
posted to load rules?
Details and answers to your questions:> 1. where do you find these 
instructions?http://www.snort.org/assets/158/snortinstallguide293.pdf
> 2. what version of snort are you running? snort -VThis yielded some interesting findings:snort -V returned 2.9.2.2But 
> I installed 2.9.5.3?'whereis snort' returned: snort: /usr/sbin/snort /etc/snort /usr/lib/snort /usr/local/snort 
> /usr/share/man/man8/snort.8.gzBut I installed snort in /usr/local/snort/bin; so, I run '/usr/local/snort/bin/snort 
> -V' and sure enough version 2.9.5.3So I tried copying the Snort 2950 rules into my 'snort_dynamicrules/' directory, 
> but a *smilar* error.  Which is to be expected since I wouldn't think a newer version of Snort would use an older 
> engine, but who knows.It turns out that the newer version of snort is more verbose in the error message:Finished 
> Loading all dynamic preprocessor libs from /usr/local/snort/lib/snort_dynamicpreprocessor/ERROR: The dynamic 
> detection library "/usr/local/snort/lib/snort_dynamicrules/nntp.so" version 1.0 compiled with dynamic engine library 
> version 2.0 isn't compatible with the current dynamic engine library 
> "/usr/local/snort/lib/snort_dynamicengine/libsf_engine.so" version 2.1What is interesting here is even though the 
> error says the rules are "version 1.0" it states they are compiled with a version 2.0 engine (not far from 2.1, which 
> Snort 2.9.5.3. appears to be running).I will have to figure out how to uninstall that older version of snort.
> 3. what specific linux are you running? is it really ubuntu 10.4?No, I am running Ubuntu 13.04.  I used the 10.04 
> libraries per the instructions. I also tried the 12.04 precompiled rules with the same error.  No other precompiled 
> Ubuntu rules are distributed.
> they have to be the ones for your version of snort... for example, you can't use 
> the 2.9.5.3 rules with 2.9.5.0... especially the SO rules and even more 
> especially if the SO engine(s) have changed...I find this statement particularly interesting.  I understand SOs, so 
> not really that part.  But more the process of maintaining rules sets (compiled to SO libraries) separately for every 
> version of snort.  2953 rules are currently only available to VRT (rather than Registered Users, 
> http://www.snort.org/snort-rules/).  Not sure why that is, but I am interpreting it to mean they won't be availble to 
> registered users for ~30 days.  That means that a new user that just downloaded snort and wants rules only has 2 
> options:Sign up and pay for VRT to get the latest rulesWait ~30 days until the rules are available for their version
That doesn't seem right--guessing I am either misunderstanding or the process is slightly broken?  Alternatively, maybe 
Snort just hasn't compiled the older (i.e., register user) version of the latest rules for 2953 snort yet, but not sure 
why that would be.
By the way,  I ran snort for 10 hrs last night with 0 alerts.  I actually tried to manually trigger some alerts like 
so:1. wget http://cnn.com/cmd.exe2. http://testmyids.com/3. Pinging the snort server
This was just based on some lazy googling, i'm not really sure there are even rules loaded for this by default and have 
not yet looked into the rules being loaded.
Thanks again!

> Date: Sun, 18 Aug 2013 09:31:29 -0400
> From: wkitty42 () windstream net
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled with an older version of the dynamic engine
>
> On 8/18/2013 00:00, Mike H wrote:
> > Thanks for the response Waldo, that did the trick! I delete the rules and Snort
> > runs fine. Seems so obvious now--files not compatible==>delete files :)
>
> pretty much... and the reasoning is twofold...
>
>    1. to remove incompatible files
>    2. to remove possibly corrupted files that can be replaced
>
> now, something else is that i did get slightly confused... i was thinking of the 
> engine, reading "the rules" in your post but i was looking at the 
> preprocessors... in our past, we've had the situation where an update didn't 
> remove older libraries and that caused snort to fall over... the solution there 
> was to remove the libraries and reinstall snort to put only the new libraries it 
> needed in place... the SO rules are basically libraries... SO means shared 
> object which is basically the same thing as a dll (dynamic linked library) in 
> the winwhatever world...
>
> but, removing those incompatible rules is the answer because when you do locate 
> the proper ones, they may not have the same names or all of them may not be used 
> so older ones would be left behind...
>
> > According to your post this also puts the "newer and proper SO files back in
> > place". I believe you are implying (or at least I am inferring) that the latest
> > ruleset comes prepackaged with snort (where are those SO files?). Ok, makes
> > sense--but the user still needs to update the rules at some point.
>
> no... there are no rules distributed /with/ snort... we must also note that 
> there is a difference between the rules and the engine... look closely at your 
> error and you'll see that it references both the engine and the rule...
>
> to be more specific, it is telling you that you are trying to run a SO rule that 
> is compiled for dynamic engine 1.0 but your snort is running dynamic engine 
> 2.1... 1.0 != 2.1 so they are incompatible...
>
> > So, if I am reading that right it means that I can't just go out to
> > http://www.snort.org/snort-rules/, grab the latest "Registered User" rules and
> > install them? That seems odd, am I missing something?
>
> they have to be the ones for your version of snort... for example, you can't use 
> the 2.9.5.3 rules with 2.9.5.0... especially the SO rules and even more 
> especially if the SO engine(s) have changed...
>
> > The Snort install instructions explicitly point you to download and install the
> > latest rules, like so:
> >
> > /sudo tar zxvf snortrules-snapshot-2950.tar.gz -C /usr/local/snort/
> > /sudo mkdir /usr/local/snort/lib/snort_dynamicrules/
> > /sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.5.0/* \/
> > //usr/local/snort/lib/snort_dynamicrules/
> > /sudo touch /usr/local/snort/rules/white_list.rules/
> > /sudo touch /usr/local/snort/rules/black_list.rules/
> > /sudo ldconfig/
>
> 1. where do you find these instructions?
> 2. what version of snort are you running? snort -V
> 3. what specific linux are you running? is it really ubuntu 10.4?
>
> > But that just takes me back to the same compatibility error below. I'm sure I am
> > screwing something up here, just not sure what. Any thoughts on how I can get
> > the latest rules from the website loaded?
>
> i don't think it is you but there is some miscommunication somewhere ;)
>
> > I was hoping to understand how to do this manually, then move on to installing
> > Pulled Pork. Appreciate the help!
>
> not a problem... we'll get ya sorted out before too long :)
>
> >  > Date: Sat, 17 Aug 2013 20:48:34 -0400
> >  > From: wkitty42 () windstream net
> >  > To: snort-users () lists sourceforge net
> >  > Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled with an
> > older version of the dynamic engine
> >  >
> >  > On 8/17/2013 13:38, Michael Heard wrote:
> >  > > ERROR: Dynamic detection lib
> > /usr/local/snort/lib/snort_dynamicrules/nntp.so 1.0
> >  > > isn't compatible with the current dynamic engine library
> >  > > /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so 2.1.
> >  > > The dynamic detection lib is compiled with an older version of the dynamic
> > engine.
> >  > > Fatal Error, Quitting../
> >  > >
> >  > > The error seems to indicate that I need a newer dynamic rule set that is
> >  > > compatible with the dynamicengine I am running.
> >  >
> >  > it is not just the rules set that must be compatible but also the shared so
> >  > dynamic engine files... shut down your snort, and remove the SO files in your
> >  > /usr/local/snort/lib/snort_dynamicengine/ directory... then reinstall snort to
> >  > put the newer and proper SO files back in place... then restart your snort and
> >  > you should be good to go... that is if i have grabbed the proper directory from
> >  > your post where the problem lies...
>
>
>
> -- 
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead. 
> Download for free and get started troubleshooting in minutes. 
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!