Snort mailing list archives

Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 11 Nov 2014 14:22:58 -0700

On 2014-11-11 14:23, Y M wrote:

Hmm..The second command will only generate the stub rules (.rules) 
for
the .so rules but not the .so files themselves.

 The way PulledPork knows which ones to copy as far as I understand 
is
by reading the version from Snort binary itself or if you have the
version explicitly specified in pulledpork.conf. Either ways, I think
the distro also plays a role in it. For example, under the
so_rules/precompiled/ there is no directory for Ubuntu 14-04 last 
time
I checked, so if the distro is not specified properly PulledPork "may
not" be able to copy them. I can verify tomorrow.

 YM

 Sent from Mobile

-------------------------
 From: James Lay [1]
 Sent: ‎11/‎12/‎2014 12:07 AM
 To: Y M [2]
 Cc: snort-users [3]
 Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork
not generating stub rules

On 2014-11-11 13:52, Y M wrote:
 >> To: snort () outlook com
 >> Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in
Pulledpork
 > not generating stub rules
 >> Date: Tue, 11 Nov 2014 13:46:41 -0700
 >> From: jlay () slave-tothe-box net
 >> CC: snort-users () lists sourceforge net
 >>
 >> On 2014-11-11 13:43, Y M wrote:
 >> >> To: snort-users () lists sourceforge net
 >> >> Date: Tue, 11 Nov 2014 13:37:26 -0700
 >> >> From: jlay () slave-tothe-box net
 >> >> Subject: Re: [Snort-users] Upgrade to 2.9.7.0 results in
 > Pulledpork
 >> > not generating stub rules
 >> >>
 >> >> On 2014-11-11 13:33, Joel Esler (jesler) wrote:
 >> >> > Looks like you are trying to use 2962 rules with 2970 or
 >> > something.
 >> >> >
 >> >> > --
 >> >> > JOEL ESLER Sent from my iPhone
 >> >> >
 >> >> > On Nov 11, 2014, at 3:12 PM, James Lay
 > <jlay () slave-tothe-box net
 >> >> > [6]>
 >> >> > wrote:
 >> >> >
 >> >> >> Topic says it:
 >> >> >>
 >> >> >> Generating Stub Rules....
 >> >> >> An error occurred: WARNING: No dynamic libraries found in
 >> >> >> directory /usr/local/lib/snort_dynamicrules.
 >> >> >>
 >> >> >> Indeed after clearing out snort_dynamicrules after:
 >> >> >>
 >> >> >> An error occurred: ERROR: The dynamic detection library
 >> >> >> "/usr/local/lib/snort_dynamicrules/web-activex.so" version
1.0
 >> >> >> compiled
 >> >> >> with dynamic engine library version 2.1 isn't compatible
with
 > the
 >> >> >> current dynamic engine library
 >> >> >> "/usr/local/lib/snort_dynamicengine/libsf_engine.so" 
version
 > 2.4.
 >> >> >>
 >> >> >> I'm using VRT ruleset...has something changes since 
2.9.6.2?
 >> > Thank
 >> >> >> you.
 >> >> >>
 >> >> >> James
 >> >> >>
 >> >>
 >> >> Maybe I need to blow out the rules....my pp run shows:
 >> >>
 >> >> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
 >> >> Rules tarball download of snortrules-snapshot-2970.tar.gz....
 >> >>
 >> >> So not sure at this point...I'll try nuking the rules..thanks
for
 >> >> looking Joel.
 >> >>
 >> >> James
 >> >
 >> > Try manually deleting the old .so rules and then copy the new
 > ones.
 >> > Thats what I did on the dev box and it was a smooth upgrade.
 >> >
 >> > YM
 >>
 >> Thanks YM..can you refresh my memory on how to create the so 
rules
 >> manually? Been using PP too long I guess :) Thanks again.
 >>
 >> James
 >
 > They should be included in the rules tarball itself:
 >
 > cp so_rules/precompiled/<distro>/<archi>/2.9.7.0/*
 > /snort/path/lib/snort_dynamicrules/
 >
 > or if your want to just generate the stub files:
 >
 > /usr/local/bin/snort -c /usr/local/etc/snort.conf
 > --dump-dynamic-rules=/tmp
 >
 > YM

 Thanks YM...I had to copy them since it didn't look like generating
 them actually created so, just precomp:

 Running in Rule Dump mode

 --== Initializing Snort ==--
 Initializing Output Plugins!
 Initializing Preprocessors!
 Initializing Plug-ins!
 Parsing Rules file "external.conf"
 PortVar 'HTTP_PORTS' defined : [ 80 8080 ]
 PortVar 'SHELLCODE_PORTS' defined : [ 0:24 26:79 81:65535 ]
 PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
 PortVar 'SSH_PORTS' defined : [ 22 ]
 PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
 PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
 PortVar 'FILE_DATA_PORTS' defined : [ 25 80 8080 ]
 PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
 Detection:
 Search-Method = AC-Full-Q
 Split Any/Any group = enabled
 Search-Method-Optimizations = enabled
 Maximum pattern length = 20
 Tagged Packet Limit: 256
 Loading dynamic engine
 /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
 Loading all dynamic detection libs from
 /usr/local/lib/snort_dynamicrules...
 WARNING: No dynamic libraries found in directory
 /usr/local/lib/snort_dynamicrules.
 Finished Loading all dynamic detection libs from
 /usr/local/lib/snort_dynamicrules
 Loading all dynamic preprocessor libs from
 /usr/local/lib/snort_dynamicpreprocessor/...
 Loading dynamic preprocessor library
 /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
done

 I think I'm missing a step, but I'm gonna roll with it...I don't
think
 my pp is correctly creating the the so rules. :(

 James


Thanks YM...here's what I got from pp.conf:

distro=Ubuntu-12-4

And after sshing in:

Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-39-generic x86_64)

Yea...something seems not to be working...all my other instances have 
outdated so rules...hrmmm.

James


------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules Y M (Nov 11)
- Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules James Lay (Nov 11)
- <Possible follow-ups>
- Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules Y M (Nov 11)
  - Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules James Lay (Nov 11)