Re: Interesting observation with with so rules

[James Lay <jlay () slave-tothe-box net>]

On 2013-10-11 09:33, James Lay wrote:
> On 2013-10-11 09:28, Y M wrote:
> > Hi James
> >
> >  Which version of pulledpork are using?
> >
> >  Sent from Phone
>
> Latest...0.7.0, however this happens when I try it manually, as per:
>
> http://www.snort.org/snort-rules/shared-object-rules
>
> But ultimately the goal is to have pp do it all..but I get the same
> error attempting to use pp, so eh..I think I need to at least be able 
> to
> do it manually successfully first ;)  I have no idea why it's 
> prepending
> the CONF_PATH with the SORULE_PATH..makes no sense :(  Thanks YM.
>
> James

Yea so I got this to go manually...but PP doesn't create the rulefile, 
so off to the PP group :)

Generating Stub Rules....
         Generating shared object stubs via:/opt/bin/snort -c 
/opt/etc/snort/sid-msgmap.conf 
--dump-dynamic-rules=/tmp/tha_rules/so_rules/
         Dumping dynamic rules...
         Dumping dynamic rules for Library web-activex 1.0.1
         Dumping dynamic rules for Library nntp 1.0.1
         Dumping dynamic rules for Library imap 1.0.1
         Dumping dynamic rules for Library web-iis 1.0.1
         Dumping dynamic rules for Library smtp 1.0.1
         Dumping dynamic rules for Library bad-traffic 1.0.1
         Dumping dynamic rules for Library misc 1.0.1
         Dumping dynamic rules for Library netbios 1.0.1
         Dumping dynamic rules for Library exploit 1.0.1
         Dumping dynamic rules for Library web-misc 1.0.1
         Dumping dynamic rules for Library snmp 1.0.1
         Dumping dynamic rules for Library p2p 1.0.1
         Dumping dynamic rules for Library chat 1.0.1
         Dumping dynamic rules for Library multimedia 1.0.1
         Dumping dynamic rules for Library specific-threats 1.0.1
         Dumping dynamic rules for Library icmp 1.0.1
         Dumping dynamic rules for Library web-client 1.0.1
         Dumping dynamic rules for Library dos 1.0.1
           Finished dumping dynamic rules.
         Done

[09:59:19 goids:~/snort/so_rules$ ls -l
total 0
-rw-r--r-- 1 root root 0 Oct 11 09:56 so_rules.rules

Thanks YM.

James

> >  /opt/bin/snort -c /opt/etc/snort/sid-msgmap.conf
> >  --dump-dynamic-rules=/opt/etc/snort/so_rules/
> >  Running in Rule Dump mode
> >
> >  --== Initializing Snort ==--
> >  Initializing Output Plugins!
> >  Initializing Preprocessors!
> >  Initializing Plug-ins!
> >  Parsing Rules file "/opt/etc/snort/sid-msgmap.conf"
> >  ERROR: /opt/etc/snort//opt/etc/snort/so_rules/bad-traffic.rules(0)
> >  Unable to open rules file
> >  "/opt/etc/snort//opt/etc/snort/so_rules/bad-traffic.rules": No such
> > file
> >  or directory.
> >
> >  Fatal Error, Quitting..
> >
> >  If I comment it out, everything works....is there something I'm
> > totally
> >  missing? Thanks for the assist all...setting up a new machine and
> > this
> >  has me stumped.


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!