Snort mailing list archives
Re: Multiple errors on Snort
From: Anshuman Anil Deshmukh <anshuman () cybage com>
Date: Fri, 5 Dec 2014 10:30:18 +0000
Hi, Some updates to this issue. I was able to dump the dynamic rules. But then the other error is still not gone hence I am unable to use the so_rules. Somehow the Snort is detecting incorrect path inspite of mentioning the correct path in my config files. Getting this error- ERROR: /etc/snort//usr/local/etc/snort/so_rules/bad-traffic.rules(0) Unable to open rules file "/etc/snort//usr/local/etc/snort/so_rules/bad-traffic.rules": No such file or directory. Following is the configuration for the so rules in my snort.conf var SO_RULE_PATH /etc/snort/so_rules/ None of these works- include /usr/local/etc/snort/so_rules/bad-traffic.rules OR include $RULE_PATH/bad-traffic.rules. Before upgrading, explicit path (without the variable) was working properly. Why is it not working with the new version now? I am giving here information on how dump dynamic rule thing worked after I removed the my old configuration of stream5_global and used the default configuration. But couldn't understand which of the old parameters were the reason for the issue. Just putting it here so that experts can analyze the same. Previously these were the settings - preprocessor stream5_global: track_tcp yes, \ memcap 536870912 \ track_udp yes, \ track_icmp no, \ max_tcp 1048576, \ max_udp 524288, \ max_active_responses 2, \ min_response_seconds 5 \ detect_scans \ # Added for performance dont_store_large_packets \ disable_evasion_alerts timeout 120 \ #Added on 23rd Oct 2013 show_rebuilt_packets Following resolved the issue- preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5 From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com] Sent: Friday, December 5, 2014 11:18 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Multiple errors on Snort Hi, I recently upgraded my working setup of Snort from version 2.9.6.1 to version 2.9.7.0. After upgrading I am facing following issues. 1. I cannot update the so_rules via pulledpork. It's even not working when if I try to dump the so_rules manually. It is picking up the weired path (same as mentioned in the thread http://seclists.org/snort/2013/q4/126) . It is said in this thread to touch or copy. I couldn't understand what exactly needs to be done. What is the resolution to it. I already copied the required .so files so as to dump dynamic option to work. On which files am I supposed to do the touch? 2. If I try to disable the so_rule configuration within snort.conf and pulledpork.conf, it gives me error "ERROR: /etc/snort/snort.conf(373) => Too many parameters for option in Session config." Please suggest what should be done to resolve the issue. Regards, Anshuman "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Multiple errors on Snort Anshuman Anil Deshmukh (Dec 04)
- Re: Multiple errors on Snort Anshuman Anil Deshmukh (Dec 05)