[Snort-devel] dump dynamic rules problem.

Husnu Demir hdemir at ...287...
Wed Dec 23 04:45:24 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes I tried that option also, but no luck. There is no rules files in /tmp/ dir.

I used the *.rules files in so_rules directory and run the snort; It gave me the
following result;

..
..

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.1 (Build 114)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 7.6 2008-01-28

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build 17>
           Rules Object: netbios  Version 1.0  <Build 1>
           Rules Object: imap  Version 1.0  <Build 1>
           Rules Object: web-client  Version 1.0  <Build 1>
           Rules Object: nntp  Version 1.0  <Build 1>
           Rules Object: dos  Version 1.0  <Build 1>
           Rules Object: smtp  Version 1.0  <Build 1>
           Rules Object: web-misc  Version 1.0  <Build 1>
           Rules Object: sql  Version 1.0  <Build 1>
           Rules Object: multimedia  Version 1.0  <Build 1>
           Rules Object: misc  Version 1.0  <Build 1>
           Rules Object: p2p  Version 1.0  <Build 1>
           Rules Object: web-activex  Version 1.0  <Build 1>
           Rules Object: chat  Version 1.0  <Build 1>
           Rules Object: exploit  Version 1.0  <Build 1>
           Rules Object: bad-traffic  Version 1.0  <Build 1>
           Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
           Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
           Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
           Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
           Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
           Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
           Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version 1.0
<Build 1>
           Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>


So it is working. BUt I could not dump the files. And there is no error.

Thanks.

hdemir.

Steven Sturges wrote:
> Pretty sure you need an = between the option and the path, ie.
> 
> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/
> 
> Husnu Demir wrote:
>> Hi People,
>>
>>
>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ command is not
>> working properly.
>>
>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
>> Running in Rule Dump mode
>>
>>         --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Snort BPF option: /tmp
>> ERROR: snort.c(5049) Please specify the directory path for dumping the dynamic rules
>> Fatal Error, Quitting..
>>
>>
>>
>> When I try
>>
>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
>> Running in Rule Dump mode
>>
>>         --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Dumping dynamic rules...
>>   Finished dumping dynamic rules.
>> Snort exiting
>>
>> ls /tmp
>> total 0
>>
>>
>>
>> My snort config ..
>>
>> snips..
>> ..
>>
>> dynamicdetection directory /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
>> ..
>>
>>
>> uname -a
>> Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009 x86_64 GNU/Linux
>>
>> Also I used precompiled Ubuntu 8.04 rules.so.
>>
>>
>> Thanks.
>>
>> hdemir.
>>
>> I used
> 
> ------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksx5q4ACgkQHgR50XBBy+lOBQCgkT5GCaeB35Yl5dDkql1aAjdc
gWEAn0AV+xAn6F1FoVo2gIKG8wH/ohmq
=0PMB
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hdemir.vcf
Type: text/x-vcard
Size: 162 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20091223/87205705/attachment.vcf>


More information about the Snort-devel mailing list