Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ERROR: dynamic detection lib is compiled with an older version of the dynamic engine

From: Mike H <mizelhike () hotmail com>
Date: Sun, 18 Aug 2013 21:06:58 +0000






Ok--I removed the older version of snort using 'apt-get remove snort'.

with that said, you can use the older 2.9.5.2 rules snapshot... but as you are 
seeing right now, you may not be able to use the compiled SO rules... as noted 
previously, the textual rules are another matter and any snort can run them, 
generally speaking... some options and features may need to be edited in them 
but for the most part they are operable...

2950 are the latest posted--got those running (minus the SO rules, of course ;))

when snort starts up it outputs a lot of data about its configuration... when in 
daemon mode, this information is sent to syslog... on my ubuntu, this 
information is found written to both /var/log/syslog and /var/log/daemon.log 
files...

When I start snort, I get this:[quote]+++++++++++++++++++++++++++++++++++++++++++++++++++Initializing rule 
chains...4065 Snort rules read    4065 detection rules    0 decoder rules    0 preprocessor rules4065 Option Chains 
linked into 202 Chain Headers0 Dynamic rules+++++++++++++++++++++++++++++++++++++++++++++++++++[/quote]
Is it "normal" to have no decoder or preprocessor rules?   I do have a preprocessor.rules file (with rules) in 
'/usr/local/snort/preproc_rules', which is pointed to by the $PREPROC_RULE_PATH variable in my snort.conf.

so there you can see the number of rules loaded... if you want to test your 
snort to be sure that it is actually seeing traffic, then you can start it in 
"packet" mode where it will spew what it sees across the screen rather like 
tcpdump... just run snort with no command line options... CTRL-C to terminate it...

Yep, getting packets!

if you want to test that your snort is seeing traffic and will generate alerts, 
let me know and i can post a rules file that will alert of most any/all 
(standard) traffic... i've done this a couple of times in recent months and 
there have been several threads where i've helped others with this... i'm fairly 
sure that uncle google might even be able to point to them with appropriate 
google-fu search terms... "local-test.rules snort-users" would be a good phrase 
to start with, i think ;)

Found your test file (just googled  site:seclists.org local-test.rules snort-users).  Loaded it and sure enough snort 
generated a bunch of alerts.  So, I guess I am up and running now.
After doing some barnyard2 troubleshooting, the alerts are now showing up in snort alert (though it is very slow).  Now 
I just need to figure out how to clear those test alerts out and I am going to try PulledPork, Base, Snorby, etc.  
Thanks Waldo!


Date: Sun, 18 Aug 2013 13:35:58 -0400
From: wkitty42 () windstream net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled with an older version of the dynamic engine

On 8/18/2013 11:15, Mike H wrote:

Thanks. Semi-long post, but the summary is that your email states that I have to
wait get 2953, which are not available to "Registered Users" yet (VRT only,
http://www.snort.org/snort-rules/). So I am stuck waiting until that is posted
to load rules?


no... not to load rules, really... possibly just the SO rules... but they can be 
compiled them locally... i did just that recently when i placed snort 2.9.5 into 
service and used the 2.9.4.6 rules... the text rules should work just fine... 
the SOes are another matter /because/ they are compiled...


Details and answers to your questions:
 > 1. where do you find these instructions?
http://www.snort.org/assets/158/snortinstallguide293.pdf


i'll have to take a look... i've never followed any snort installation 
instructions written by anyone ;)


 > 2. what version of snort are you running? snort -V

  * This yielded some interesting findings:
      o snort -V returned 2.9.2.2
      o But I installed 2.9.5.3?


ewwwwoohhh... yeah, we've see that in here in the last few months... basically 
it is because the system was set up with snort installed from a package 
distributed by the *nix distribution maintainers... then the user or admin 
decides that it needs to be updated but since there's no newer release package 
available from the distribution maintainers, the only real option is to build 
snort from the sources... the assumption is that building from the sources will 
install to the same place and in the same layout as what was installed from the 
package... this assumption has bitten many in the past and will continue to bite 
more in the future...


      o 'whereis snort' returned: snort: */usr/sbin/snort
        /etc/snort*/usr/lib/snort /usr/local/snort /usr/share/man/man8/snort.8.gz
      o But I installed snort in /usr/local/snort/bin; so, I run
        '/usr/local/snort/bin/snort -V' and sure enough version 2.9.5.3


now you're on the trail of the lion ;)


      o So I tried copying the Snort 2950 rules into my 'snort_dynamicrules/'
        directory, but a *smilar* error. Which is to be expected since I
        wouldn't think a newer version of Snort would use an older engine, but
        who knows.
      o It turns out that the newer version of snort is more verbose in the
        error message:
          + /Finished Loading all dynamic preprocessor libs from
            /usr/local/snort/lib/snort_dynamicpreprocessor//
          + /ERROR: The dynamic detection library
            "/usr/local/snort/lib/snort_dynamicrules/nntp.so" version 1.0
            compiled with dynamic engine library *version 2.0* isn't compatible
            with the current dynamic engine library
            "/usr/local/snort/lib/snort_dynamicengine/libsf_engine.so" *version
            2.1*/
  * What is interesting here is even though the error says the rules are
    "version 1.0" it states they are compiled with a version 2.0 engine (not far
    from 2.1, which Snort 2.9.5.3. appears to be running).


ahh yes... i wasn't sure about my previous pointing to 1.0 != 2.1 but it was 
enough to make the point for clarification... yes, 2.0 != 2.1, too ;)


  * I will have to figure out how to uninstall that older version of snort.


it was probably installed by the package managers... try

   sudo apt-get remove snort

or similar and see what happens... you may want a purge in there instead of 
remove... purge will kill the tarball in your local repository, IIRC... check 
the apt-get docs to be sure...


 > 3. what specific linux are you running? is it really ubuntu 10.4?
No, I am running Ubuntu 13.04. I used the 10.04 libraries per the instructions.
I also tried the 12.04 precompiled rules with the same error. No other
precompiled Ubuntu rules are distributed.


ahhh...


 > they have to be the ones for your version of snort... for example, you can't use
 > the 2.9.5.3 rules with 2.9.5.0... especially the SO rules and even more
 > especially if the SO engine(s) have changed...
I find this statement particularly interesting. I understand SOs, so not really
that part. But more the process of maintaining rules sets (compiled to SO
libraries) separately for every version of snort. 2953 rules are currently only
available to VRT (rather than Registered Users,
http://www.snort.org/snort-rules/). Not sure why that is, but I am interpreting
it to mean they won't be availble to registered users for ~30 days. That means
that a new user that just downloaded snort and wants rules only has 2 options:

 1. Sign up and pay for VRT to get the latest rules
 2. Wait ~30 days until the rules are available for their version


right... those are the two options... the 30 wait time is from the release of 
the new rule(s)... so if rule 1:45678 is released on Aug 1, registered users can 
get it until Aug 30 or 31... this is a monetizing factor... the snort/VRT folks 
are a commercial entity... they also sell IDS/IPS hardware... so one can be a 
paying subscriber (known as "subscriber") or one can be a registered free user 
(known as "registered") or one can be totally unregistered and non-paying and 
use only the rules released for their version in a one time pull...


That doesn't seem right--guessing I am either misunderstanding or the process is
slightly broken? Alternatively, maybe Snort just hasn't compiled the older
(i.e., register user) version of the latest rules for 2953 snort yet, but not
sure why that would be.


if you are just registered, then you have to wait the 30 days to pass from the 
release of 2.9.5.3's rules... i don't know their exact date off the top of my 
head but they should be available before much longer...

with that said, you can use the older 2.9.5.2 rules snapshot... but as you are 
seeing right now, you may not be able to use the compiled SO rules... as noted 
previously, the textual rules are another matter and any snort can run them, 
generally speaking... some options and features may need to be edited in them 
but for the most part they are operable...


By the way, I ran snort for 10 hrs last night with 0 alerts. I actually tried to
manually trigger some alerts like so:
1. wget http://cnn.com/cmd.exe
2. http://testmyids.com/
3. Pinging the snort server

This was just based on some lazy googling, i'm not really sure there are even
rules loaded for this by default and have not yet looked into the rules being
loaded.


when snort starts up it outputs a lot of data about its configuration... when in 
daemon mode, this information is sent to syslog... on my ubuntu, this 
information is found written to both /var/log/syslog and /var/log/daemon.log 
files...

grep -E "$(cat /etc/hostname) snort" /var/log/syslog

OR

grep -E "$(cat /etc/hostname) snort" /var/log/daemon.log


anyway, during the start up, you will see or find something like this...

[quote]
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...

4343 Snort rules read
     3931 detection rules
     150 decoder rules
     262 preprocessor rules
4343 Option Chains linked into 250 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
[/quote]

which tells us the number of rules being used... in the above, the detection 
rules count appears to be both, text and SO, rules... while the SO rules are 
also called "dynamic rules", they are not the same as the "Dynamic rules" 
counted in the above... those are a different type of "dynamic" in that they are 
not used until an enabling rule is triggered... then the related dynamic rule(s) 
are turned on and may fire based on the data...

so there you can see the number of rules loaded... if you want to test your 
snort to be sure that it is actually seeing traffic, then you can start it in 
"packet" mode where it will spew what it sees across the screen rather like 
tcpdump... just run snort with no command line options... CTRL-C to terminate it...

if you want to test that your snort is seeing traffic and will generate alerts, 
let me know and i can post a rules file that will alert of most any/all 
(standard) traffic... i've done this a couple of times in recent months and 
there have been several threads where i've helped others with this... i'm fairly 
sure that uncle google might even be able to point to them with appropriate 
google-fu search terms... "local-test.rules snort-users" would be a good phrase 
to start with, i think ;)


Thanks again!


 > Date: Sun, 18 Aug 2013 09:31:29 -0400
 > From: wkitty42 () windstream net
 > To: snort-users () lists sourceforge net
 > Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled with an
older version of the dynamic engine
 >
 > On 8/18/2013 00:00, Mike H wrote:
 > > Thanks for the response Waldo, that did the trick! I delete the rules and Snort
 > > runs fine. Seems so obvious now--files not compatible==>delete files :)
 >
 > pretty much... and the reasoning is twofold...
 >
 > 1. to remove incompatible files
 > 2. to remove possibly corrupted files that can be replaced
 >
 > now, something else is that i did get slightly confused... i was thinking of the
 > engine, reading "the rules" in your post but i was looking at the
 > preprocessors... in our past, we've had the situation where an update didn't
 > remove older libraries and that caused snort to fall over... the solution there
 > was to remove the libraries and reinstall snort to put only the new libraries it
 > needed in place... the SO rules are basically libraries... SO means shared
 > object which is basically the same thing as a dll (dynamic linked library) in
 > the winwhatever world...
 >
 > but, removing those incompatible rules is the answer because when you do locate
 > the proper ones, they may not have the same names or all of them may not be used
 > so older ones would be left behind...
 >
 > > According to your post this also puts the "newer and proper SO files back in
 > > place". I believe you are implying (or at least I am inferring) that the latest
 > > ruleset comes prepackaged with snort (where are those SO files?). Ok, makes
 > > sense--but the user still needs to update the rules at some point.
 >
 > no... there are no rules distributed /with/ snort... we must also note that
 > there is a difference between the rules and the engine... look closely at your
 > error and you'll see that it references both the engine and the rule...
 >
 > to be more specific, it is telling you that you are trying to run a SO rule that
 > is compiled for dynamic engine 1.0 but your snort is running dynamic engine
 > 2.1... 1.0 != 2.1 so they are incompatible...
 >
 > > So, if I am reading that right it means that I can't just go out to
 > > http://www.snort.org/snort-rules/, grab the latest "Registered User" rules and
 > > install them? That seems odd, am I missing something?
 >
 > they have to be the ones for your version of snort... for example, you can't use
 > the 2.9.5.3 rules with 2.9.5.0... especially the SO rules and even more
 > especially if the SO engine(s) have changed...
 >
 > > The Snort install instructions explicitly point you to download and install the
 > > latest rules, like so:
 > >
 > > /sudo tar zxvf snortrules-snapshot-2950.tar.gz -C /usr/local/snort/
 > > /sudo mkdir /usr/local/snort/lib/snort_dynamicrules/
 > > /sudo cp /usr/local/snort/so_rules/precompiled/Ubuntu-10-4/i386/2.9.5.0/* \/
 > > //usr/local/snort/lib/snort_dynamicrules/
 > > /sudo touch /usr/local/snort/rules/white_list.rules/
 > > /sudo touch /usr/local/snort/rules/black_list.rules/
 > > /sudo ldconfig/
 >
 > 1. where do you find these instructions?
 > 2. what version of snort are you running? snort -V
 > 3. what specific linux are you running? is it really ubuntu 10.4?
 >
 > > But that just takes me back to the same compatibility error below. I'm sure
I am
 > > screwing something up here, just not sure what. Any thoughts on how I can get
 > > the latest rules from the website loaded?
 >
 > i don't think it is you but there is some miscommunication somewhere ;)
 >
 > > I was hoping to understand how to do this manually, then move on to installing
 > > Pulled Pork. Appreciate the help!
 >
 > not a problem... we'll get ya sorted out before too long :)
 >
 > > > Date: Sat, 17 Aug 2013 20:48:34 -0400
 > > > From: wkitty42 () windstream net
 > > > To: snort-users () lists sourceforge net
 > > > Subject: Re: [Snort-users] ERROR: dynamic detection lib is compiled with an
 > > older version of the dynamic engine
 > > >
 > > > On 8/17/2013 13:38, Michael Heard wrote:
 > > > > ERROR: Dynamic detection lib
 > > /usr/local/snort/lib/snort_dynamicrules/nntp.so 1.0
 > > > > isn't compatible with the current dynamic engine library
 > > > > /usr/local/snort/lib/snort_dynamicengine/libsf_engine.so 2.1.
 > > > > The dynamic detection lib is compiled with an older version of the dynamic
 > > engine.
 > > > > Fatal Error, Quitting../
 > > > >
 > > > > The error seems to indicate that I need a newer dynamic rule set that is
 > > > > compatible with the dynamicengine I am running.
 > > >
 > > > it is not just the rules set that must be compatible but also the shared so
 > > > dynamic engine files... shut down your snort, and remove the SO files in your
 > > > /usr/local/snort/lib/snort_dynamicengine/ directory... then reinstall
snort to
 > > > put the newer and proper SO files back in place... then restart your
snort and
 > > > you should be good to go... that is if i have grabbed the proper
directory from
 > > > your post where the problem lies...
 >
 >
 >
 > --
 > NOTE: No off-list assistance is given without prior approval.
 > Please keep mailing list traffic on the list unless
 > private contact is specifically requested and granted.
 >
 > ------------------------------------------------------------------------------
 > Get 100% visibility into Java/.NET code with AppDynamics Lite!
 > It's a free troubleshooting tool designed for production.
 > Get down to code-level detail for bottlenecks, with <2% overhead.
 > Download for free and get started troubleshooting in minutes.
 > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
 > _______________________________________________
 > Snort-users mailing list
 > Snort-users () lists sourceforge net
 > Go to this URL to change user options or unsubscribe:
 > https://lists.sourceforge.net/lists/listinfo/snort-users
 > Snort-users list archive:
 > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
 >
 > Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with<2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



                                          
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: