[Snort-devel] dump dynamic rules problem.

Steven Sturges steve.sturges at ...402...
Wed Dec 23 09:02:00 EST 2009


What other command line arguments are you passing to snort?

When Snort prints out the version information and related for each
of the various objects loaded, it is operating in its normal
run mode.

Husnu Demir wrote:
> Yes I tried that option also, but no luck. There is no rules files in /tmp/ dir.
> 
> I used the *.rules files in so_rules directory and run the snort; It gave me the
> following result;
> 
> ..
> ..
> 
>         --== Initialization Complete ==--
> 
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.8.5.1 (Build 114)
>    ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>            Using PCRE version: 7.6 2008-01-28
> 
>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build 17>
>            Rules Object: netbios  Version 1.0  <Build 1>
>            Rules Object: imap  Version 1.0  <Build 1>
>            Rules Object: web-client  Version 1.0  <Build 1>
>            Rules Object: nntp  Version 1.0  <Build 1>
>            Rules Object: dos  Version 1.0  <Build 1>
>            Rules Object: smtp  Version 1.0  <Build 1>
>            Rules Object: web-misc  Version 1.0  <Build 1>
>            Rules Object: sql  Version 1.0  <Build 1>
>            Rules Object: multimedia  Version 1.0  <Build 1>
>            Rules Object: misc  Version 1.0  <Build 1>
>            Rules Object: p2p  Version 1.0  <Build 1>
>            Rules Object: web-activex  Version 1.0  <Build 1>
>            Rules Object: chat  Version 1.0  <Build 1>
>            Rules Object: exploit  Version 1.0  <Build 1>
>            Rules Object: bad-traffic  Version 1.0  <Build 1>
>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
>            Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
>            Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
>            Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version 1.0
> <Build 1>
>            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
> 
> 
> So it is working. BUt I could not dump the files. And there is no error.
> 
> Thanks.
> 
> hdemir.
> 
> Steven Sturges wrote:
>> Pretty sure you need an = between the option and the path, ie.
> 
>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/
> 
>> Husnu Demir wrote:
>>> Hi People,
>>>
>>>
>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ command is not
>>> working properly.
>>>
>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
>>> Running in Rule Dump mode
>>>
>>>         --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Snort BPF option: /tmp
>>> ERROR: snort.c(5049) Please specify the directory path for dumping the dynamic rules
>>> Fatal Error, Quitting..
>>>
>>>
>>>
>>> When I try
>>>
>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
>>> Running in Rule Dump mode
>>>
>>>         --== Initializing Snort ==--
>>> Initializing Output Plugins!
>>> Dumping dynamic rules...
>>>   Finished dumping dynamic rules.
>>> Snort exiting
>>>
>>> ls /tmp
>>> total 0
>>>
>>>
>>>
>>> My snort config ..
>>>
>>> snips..
>>> ..
>>>
>>> dynamicdetection directory /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
>>> ..
>>>
>>>
>>> uname -a
>>> Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009 x86_64 GNU/Linux
>>>
>>> Also I used precompiled Ubuntu 8.04 rules.so.
>>>
>>>
>>> Thanks.
>>>
>>> hdemir.
>>>
>>> I used
>> ------------------------------------------------------------------------
> 
>> ------------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Verizon Developer Community
>> Take advantage of Verizon's best-in-class app development support
>> A streamlined, 14 day to market process makes app distribution fast and easy
>> Join now and get one step closer to millions of Verizon customers
>> http://p.sf.net/sfu/verizon-dev2dev
> 
> 
>> ------------------------------------------------------------------------
> 
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list