Re: Multiple errors on Snort

[Anshuman Anil Deshmukh <anshuman () cybage com>]

Hi,

Some updates to this issue.

I was able to dump the dynamic rules. But then the other error is still not gone hence I am unable to use the so_rules. 
Somehow the Snort is detecting incorrect path inspite of mentioning the correct path in my config files.

Getting this error-
ERROR: /etc/snort//usr/local/etc/snort/so_rules/bad-traffic.rules(0) Unable to open rules file 
"/etc/snort//usr/local/etc/snort/so_rules/bad-traffic.rules": No such file or directory.

Following is the configuration for the so rules in my snort.conf

var SO_RULE_PATH /etc/snort/so_rules/

None of these works-
include /usr/local/etc/snort/so_rules/bad-traffic.rules
OR
include $RULE_PATH/bad-traffic.rules.

Before upgrading, explicit path (without the variable) was working properly. Why is it not working with the new version 
now?

I am giving here information on how dump dynamic rule thing worked after I removed the my old configuration of 
stream5_global and used the default configuration. But couldn't understand which of the old parameters were the reason 
for the issue. Just putting it here so that experts can analyze the same.

Previously these were the settings -
preprocessor stream5_global: track_tcp yes, \
memcap 536870912 \
track_udp yes, \
track_icmp no, \
max_tcp 1048576, \
max_udp 524288, \
max_active_responses 2, \
min_response_seconds 5 \
detect_scans \
# Added for performance
dont_store_large_packets \
disable_evasion_alerts timeout 120 \
#Added on 23rd Oct 2013
show_rebuilt_packets

Following resolved the issue-
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5

From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com]
Sent: Friday, December 5, 2014 11:18 AM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Multiple errors on Snort

Hi,

I recently upgraded my working setup of Snort from version 2.9.6.1 to version 2.9.7.0. After upgrading I am facing 
following issues.


1.       I cannot update the so_rules via pulledpork. It's even not working when if I try to dump the so_rules 
manually. It is picking up the weired path (same as mentioned in the thread http://seclists.org/snort/2013/q4/126) . It 
is said in this thread to touch or copy. I couldn't understand what exactly needs to be done. What is the resolution to 
it. I already copied the required .so files so as to dump dynamic option to work. On which files am I supposed to do 
the touch?

2.       If I try to disable the so_rule configuration within snort.conf and pulledpork.conf, it gives me error "ERROR: 
/etc/snort/snort.conf(373) => Too many parameters for option in Session config."

Please suggest what should be done to resolve the issue.


Regards,
Anshuman

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com<http://www.cybage.com>

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!