[Snort-devel] dump dynamic rules problem.

Husnu Demir hdemir at ...287...
Wed Dec 23 09:06:19 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

/usr/local/snort-2.8.5.1/bin/snort -l /var/log/snort/ -c
/usr/local/snort-2.8.5.1/etc/snort.conf -i eth0


hdemir.

PS: I gave the last output to show that it is working with the so_rules but did
not dump the so_rules.





Steven Sturges wrote:
> What other command line arguments are you passing to snort?
> 
> When Snort prints out the version information and related for each
> of the various objects loaded, it is operating in its normal
> run mode.
> 
> Husnu Demir wrote:
>> Yes I tried that option also, but no luck. There is no rules files in /tmp/ dir.
>>
>> I used the *.rules files in so_rules directory and run the snort; It gave me the
>> following result;
>>
>> ..
>> ..
>>
>>         --== Initialization Complete ==--
>>
>>    ,,_     -*> Snort! <*-
>>   o"  )~   Version 2.8.5.1 (Build 114)
>>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>>            Using PCRE version: 7.6 2008-01-28
>>
>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build 17>
>>            Rules Object: netbios  Version 1.0  <Build 1>
>>            Rules Object: imap  Version 1.0  <Build 1>
>>            Rules Object: web-client  Version 1.0  <Build 1>
>>            Rules Object: nntp  Version 1.0  <Build 1>
>>            Rules Object: dos  Version 1.0  <Build 1>
>>            Rules Object: smtp  Version 1.0  <Build 1>
>>            Rules Object: web-misc  Version 1.0  <Build 1>
>>            Rules Object: sql  Version 1.0  <Build 1>
>>            Rules Object: multimedia  Version 1.0  <Build 1>
>>            Rules Object: misc  Version 1.0  <Build 1>
>>            Rules Object: p2p  Version 1.0  <Build 1>
>>            Rules Object: web-activex  Version 1.0  <Build 1>
>>            Rules Object: chat  Version 1.0  <Build 1>
>>            Rules Object: exploit  Version 1.0  <Build 1>
>>            Rules Object: bad-traffic  Version 1.0  <Build 1>
>>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
>>            Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
>>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
>>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
>>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
>>            Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
>>            Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version 1.0
>> <Build 1>
>>            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
>>
>>
>> So it is working. BUt I could not dump the files. And there is no error.
>>
>> Thanks.
>>
>> hdemir.
>>
>> Steven Sturges wrote:
>>> Pretty sure you need an = between the option and the path, ie.
>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/
>>> Husnu Demir wrote:
>>>> Hi People,
>>>>
>>>>
>>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ command is not
>>>> working properly.
>>>>
>>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
>>>> Running in Rule Dump mode
>>>>
>>>>         --== Initializing Snort ==--
>>>> Initializing Output Plugins!
>>>> Snort BPF option: /tmp
>>>> ERROR: snort.c(5049) Please specify the directory path for dumping the dynamic rules
>>>> Fatal Error, Quitting..
>>>>
>>>>
>>>>
>>>> When I try
>>>>
>>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
>>>> Running in Rule Dump mode
>>>>
>>>>         --== Initializing Snort ==--
>>>> Initializing Output Plugins!
>>>> Dumping dynamic rules...
>>>>   Finished dumping dynamic rules.
>>>> Snort exiting
>>>>
>>>> ls /tmp
>>>> total 0
>>>>
>>>>
>>>>
>>>> My snort config ..
>>>>
>>>> snips..
>>>> ..
>>>>
>>>> dynamicdetection directory /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
>>>> ..
>>>>
>>>>
>>>> uname -a
>>>> Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009 x86_64 GNU/Linux
>>>>
>>>> Also I used precompiled Ubuntu 8.04 rules.so.
>>>>
>>>>
>>>> Thanks.
>>>>
>>>> hdemir.
>>>>
>>>> I used
>>> ------------------------------------------------------------------------
>>> ------------------------------------------------------------------------------
>>> This SF.Net email is sponsored by the Verizon Developer Community
>>> Take advantage of Verizon's best-in-class app development support
>>> A streamlined, 14 day to market process makes app distribution fast and easy
>>> Join now and get one step closer to millions of Verizon customers
>>> http://p.sf.net/sfu/verizon-dev2dev
>>
>>> ------------------------------------------------------------------------
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksyI9MACgkQHgR50XBBy+kRawCeJH/KLZOwZpCO9Ya2kUvD/Vp6
hUYAoMto8OKe1+hMTaE7ziCaRDuYhk3V
=xuTy
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hdemir.vcf
Type: text/x-vcard
Size: 162 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20091223/0794e72c/attachment.vcf>


More information about the Snort-devel mailing list