[Snort-devel] dump dynamic rules problem.

Matt Watchinski mwatchinski at ...402...
Wed Dec 23 10:09:30 EST 2009


Maybe you truncated the following line in your previous email, but

/usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp

Snort doesn't know where the dynamic rules are if you don't give it a -c for
the snort.conf

snort -c snort.conf --dump-dynamic-rules=/tmp

Cheers,
-matt

2009/12/23 Husnu Demir <hdemir at ...287...>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> /usr/local/snort-2.8.5.1/bin/snort -l /var/log/snort/ -c
> /usr/local/snort-2.8.5.1/etc/snort.conf -i eth0
>
>
> hdemir.
>
> PS: I gave the last output to show that it is working with the so_rules but
> did
> not dump the so_rules.
>
>
>
>
>
> Steven Sturges wrote:
> > What other command line arguments are you passing to snort?
> >
> > When Snort prints out the version information and related for each
> > of the various objects loaded, it is operating in its normal
> > run mode.
> >
> > Husnu Demir wrote:
> >> Yes I tried that option also, but no luck. There is no rules files in
> /tmp/ dir.
> >>
> >> I used the *.rules files in so_rules directory and run the snort; It
> gave me the
> >> following result;
> >>
> >> ..
> >> ..
> >>
> >>         --== Initialization Complete ==--
> >>
> >>    ,,_     -*> Snort! <*-
> >>   o"  )~   Version 2.8.5.1 (Build 114)
> >>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
> >>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
> >>            Using PCRE version: 7.6 2008-01-28
> >>
> >>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11  <Build
> 17>
> >>            Rules Object: netbios  Version 1.0  <Build 1>
> >>            Rules Object: imap  Version 1.0  <Build 1>
> >>            Rules Object: web-client  Version 1.0  <Build 1>
> >>            Rules Object: nntp  Version 1.0  <Build 1>
> >>            Rules Object: dos  Version 1.0  <Build 1>
> >>            Rules Object: smtp  Version 1.0  <Build 1>
> >>            Rules Object: web-misc  Version 1.0  <Build 1>
> >>            Rules Object: sql  Version 1.0  <Build 1>
> >>            Rules Object: multimedia  Version 1.0  <Build 1>
> >>            Rules Object: misc  Version 1.0  <Build 1>
> >>            Rules Object: p2p  Version 1.0  <Build 1>
> >>            Rules Object: web-activex  Version 1.0  <Build 1>
> >>            Rules Object: chat  Version 1.0  <Build 1>
> >>            Rules Object: exploit  Version 1.0  <Build 1>
> >>            Rules Object: bad-traffic  Version 1.0  <Build 1>
> >>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
> >>            Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
> >>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
> >>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
> >>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
> >>            Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
> >>            Preprocessor Object: SF_Dynamic_Example_Preprocessor  Version
> 1.0
> >> <Build 1>
> >>            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
> >>
> >>
> >> So it is working. BUt I could not dump the files. And there is no error.
> >>
> >> Thanks.
> >>
> >> hdemir.
> >>
> >> Steven Sturges wrote:
> >>> Pretty sure you need an = between the option and the path, ie.
> >>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/
> >>> Husnu Demir wrote:
> >>>> Hi People,
> >>>>
> >>>>
> >>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ command
> is not
> >>>> working properly.
> >>>>
> >>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
> >>>> Running in Rule Dump mode
> >>>>
> >>>>         --== Initializing Snort ==--
> >>>> Initializing Output Plugins!
> >>>> Snort BPF option: /tmp
> >>>> ERROR: snort.c(5049) Please specify the directory path for dumping the
> dynamic rules
> >>>> Fatal Error, Quitting..
> >>>>
> >>>>
> >>>>
> >>>> When I try
> >>>>
> >>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
> >>>> Running in Rule Dump mode
> >>>>
> >>>>         --== Initializing Snort ==--
> >>>> Initializing Output Plugins!
> >>>> Dumping dynamic rules...
> >>>>   Finished dumping dynamic rules.
> >>>> Snort exiting
> >>>>
> >>>> ls /tmp
> >>>> total 0
> >>>>
> >>>>
> >>>>
> >>>> My snort config ..
> >>>>
> >>>> snips..
> >>>> ..
> >>>>
> >>>> dynamicdetection directory
> /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
> >>>> ..
> >>>>
> >>>>
> >>>> uname -a
> >>>> Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009 x86_64
> GNU/Linux
> >>>>
> >>>> Also I used precompiled Ubuntu 8.04 rules.so.
> >>>>
> >>>>
> >>>> Thanks.
> >>>>
> >>>> hdemir.
> >>>>
> >>>> I used
> >>>
> ------------------------------------------------------------------------
> >>>
> ------------------------------------------------------------------------------
> >>> This SF.Net email is sponsored by the Verizon Developer Community
> >>> Take advantage of Verizon's best-in-class app development support
> >>> A streamlined, 14 day to market process makes app distribution fast and
> easy
> >>> Join now and get one step closer to millions of Verizon customers
> >>> http://p.sf.net/sfu/verizon-dev2dev
> >>
> >>>
> ------------------------------------------------------------------------
> >>> _______________________________________________
> >>> Snort-devel mailing list
> >>> Snort-devel at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAksyI9MACgkQHgR50XBBy+kRawCeJH/KLZOwZpCO9Ya2kUvD/Vp6
> hUYAoMto8OKe1+hMTaE7ziCaRDuYhk3V
> =xuTy
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and
> easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>


-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20091223/a98b7de8/attachment.html>


More information about the Snort-devel mailing list