Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules

[Y M <snort () outlook com>]

Hmm..The second command will only generate the stub rules (.rules) for the .so rules but not the .so files themselves.

The way PulledPork knows which ones to copy as far as I understand is by reading the version from Snort binary itself 
or if you have the version explicitly specified in pulledpork.conf. Either ways, I think the distro also plays a role 
in it. For example, under the so_rules/precompiled/ there is no directory for Ubuntu 14-04 last time I checked, so if 
the distro is not specified properly PulledPork "may not" be able to copy them. I can verify tomorrow.

YM

Sent from Mobile
________________________________
From: James Lay<mailto:jlay () slave-tothe-box net>
Sent: ‎11/‎12/‎2014 12:07 AM
To: Y M<mailto:snort () outlook com>
Cc: snort-users<mailto:snort-users () lists sourceforge net>
Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork not  generating stub rules

On 2014-11-11 13:52, Y M wrote:
> > To: snort () outlook com
> > Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork
> not generating stub rules
> > Date: Tue, 11 Nov 2014 13:46:41 -0700
> > From: jlay () slave-tothe-box net
> > CC: snort-users () lists sourceforge net
> >
> > On 2014-11-11 13:43, Y M wrote:
> > > > To: snort-users () lists sourceforge net
> > > > Date: Tue, 11 Nov 2014 13:37:26 -0700
> > > > From: jlay () slave-tothe-box net
> > > > Subject: Re: [Snort-users] Upgrade to 2.9.7.0 results in
> Pulledpork
> > > not generating stub rules
> > > > On 2014-11-11 13:33, Joel Esler (jesler) wrote:
> > > > > Looks like you are trying to use 2962 rules with 2970 or
> > > something.
> > > > > --
> > > > > JOEL ESLER Sent from my iPhone
> > > > >
> > > > > On Nov 11, 2014, at 3:12 PM, James Lay
> <jlay () slave-tothe-box net
> > > > > [6]>
> > > > > wrote:
> > > > >
> > > > > > Topic says it:
> > > > > >
> > > > > > Generating Stub Rules....
> > > > > > An error occurred: WARNING: No dynamic libraries found in
> > > > > > directory /usr/local/lib/snort_dynamicrules.
> > > > > >
> > > > > > Indeed after clearing out snort_dynamicrules after:
> > > > > >
> > > > > > An error occurred: ERROR: The dynamic detection library
> > > > > > "/usr/local/lib/snort_dynamicrules/web-activex.so" version 1.0
> > > > > > compiled
> > > > > > with dynamic engine library version 2.1 isn't compatible with
> the
> > > > > > current dynamic engine library
> > > > > > "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version
> 2.4.
> > > > > > I'm using VRT ruleset...has something changes since 2.9.6.2?
> > > Thank
> > > > > > you.
> > > > > >
> > > > > > James
> > > >
> > > > Maybe I need to blow out the rules....my pp run shows:
> > > >
> > > > Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
> > > > Rules tarball download of snortrules-snapshot-2970.tar.gz....
> > > >
> > > > So not sure at this point...I'll try nuking the rules..thanks for
> > > > looking Joel.
> > > >
> > > > James
> > >
> > > Try manually deleting the old .so rules and then copy the new
> ones.
> > > Thats what I did on the dev box and it was a smooth upgrade.
> > >
> > > YM
> >
> > Thanks YM..can you refresh my memory on how to create the so rules
> > manually? Been using PP too long I guess :) Thanks again.
> >
> > James
>
> They should be included in the rules tarball itself:
>
> cp so_rules/precompiled/<distro>/<archi>/2.9.7.0/*
> /snort/path/lib/snort_dynamicrules/
>
> or if your want to just generate the stub files:
>
> /usr/local/bin/snort -c /usr/local/etc/snort.conf
> --dump-dynamic-rules=/tmp
>
> YM

Thanks YM...I had to copy them since it didn't look like generating
them actually created so, just precomp:

Running in Rule Dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "external.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 8080 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:24 26:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 25 80 8080 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
    Search-Method = AC-Full-Q
     Split Any/Any group = enabled
     Search-Method-Optimizations = enabled
     Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory
/usr/local/lib/snort_dynamicrules.
   Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
   Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done

I think I'm missing a step, but I'm gonna roll with it...I don't think
my pp is correctly creating the the so rules. :(

James

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!