Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort: setup SO rules question.

From: Andrew Shagayev <drewshg () gmail com>
Date: Sun, 22 Mar 2015 21:43:51 -0700
Hi all!

OS X 10.10.2
Snort 2.9.7.2 GRE (Build 177)

Trying to setup the so rules.

I've read /etc/snort/so_rules/src/README and done all that steps:

1. Make sure the dynamic preprocessor and dynamic engine paths are
    defined in snort.conf, for example:

 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

 2. Make sure the path to the location of the shared object rules is
    also defined in snort.conf, for example:

 dynamicdetection directory /usr/local/lib/snort_dynamicrule

 3. Dump the stub rules by issuing the command:

 snort -c /usr/local/etc/snort/snort.conf
--dump-dynamic-rules=/usr/local/etc/snort/so_rules

 4. Use a variable to define the path to the stub rules, for example:

 var SO_RULE_PATH /usr/local/etc/snort/so_rules

 5. Include the generated stub rule files in snort.conf in the same way
    the regular rules are included, for example:

 include $SO_RULE_PATH/netbios.rules

 6. Test the installation by issuing the command:

 snort -c /usr/local/etc/snort/snort.conf -T

But there is nothing about where to put the "precompiled" .so files. Should
they go to /usr/local/lib/snort_dynamicrules?

And which distro would work with OS X?

I've tried to put all .so files for FreeBSD 10, but snort says:

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules//browser-ie.so... ERROR: Failed to load
/usr/local/lib/snort_dynamicrules//browser-ie.so:
dlopen(/usr/local/lib/snort_dynamicrules//browser-ie.so, 6): no suitable
image found.  Did find:
    /usr/local/lib/snort_dynamicrules//browser-ie.so: unknown file type,
first eight bytes: 0x7F 0x45 0x4C 0x46 0x02 0x01 0x01 0x09
Fatal Error, Quitting..

This /usr/local/lib/snort_dynamicrules directory is empty right now and
snort says:

WARNING: No dynamic libraries found in directory
/usr/local/lib/snort_dynamicrules/.

Please point me where to find the explanation.

Thank you

-- 
A.S.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: