[Snort-devel] dump dynamic rules problem.

Husnu Demir hdemir at ...287...
Wed Dec 23 10:27:31 EST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks.

I am prety sure I tried that but could not manage. Perhaps I tried that without
"=" sign. Perhaps you should add "=" sign to the --help option :)


Best regards.
hdemir.


Matt Watchinski wrote:
> Maybe you truncated the following line in your previous email, but
> 
> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
> 
> Snort doesn't know where the dynamic rules are if you don't give it a -c
> for the snort.conf
> 
> snort -c snort.conf --dump-dynamic-rules=/tmp
> 
> Cheers,
> -matt
> 
> 2009/12/23 Husnu Demir <hdemir at ...287... <mailto:hdemir at ...287...>>
> 
> /usr/local/snort-2.8.5.1/bin/snort -l /var/log/snort/ -c
> /usr/local/snort-2.8.5.1/etc/snort.conf -i eth0
> 
> 
> hdemir.
> 
> PS: I gave the last output to show that it is working with the
> so_rules but did
> not dump the so_rules.
> 
> 
> 
> 
> 
> Steven Sturges wrote:
>> What other command line arguments are you passing to snort?
> 
>> When Snort prints out the version information and related for each
>> of the various objects loaded, it is operating in its normal
>> run mode.
> 
>> Husnu Demir wrote:
>>> Yes I tried that option also, but no luck. There is no rules
> files in /tmp/ dir.
>>>
>>> I used the *.rules files in so_rules directory and run the snort;
> It gave me the
>>> following result;
>>>
>>> ..
>>> ..
>>>
>>>         --== Initialization Complete ==--
>>>
>>>    ,,_     -*> Snort! <*-
>>>   o"  )~   Version 2.8.5.1 (Build 114)
>>>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>>>            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>>>            Using PCRE version: 7.6 2008-01-28
>>>
>>>            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11
>  <Build 17>
>>>            Rules Object: netbios  Version 1.0  <Build 1>
>>>            Rules Object: imap  Version 1.0  <Build 1>
>>>            Rules Object: web-client  Version 1.0  <Build 1>
>>>            Rules Object: nntp  Version 1.0  <Build 1>
>>>            Rules Object: dos  Version 1.0  <Build 1>
>>>            Rules Object: smtp  Version 1.0  <Build 1>
>>>            Rules Object: web-misc  Version 1.0  <Build 1>
>>>            Rules Object: sql  Version 1.0  <Build 1>
>>>            Rules Object: multimedia  Version 1.0  <Build 1>
>>>            Rules Object: misc  Version 1.0  <Build 1>
>>>            Rules Object: p2p  Version 1.0  <Build 1>
>>>            Rules Object: web-activex  Version 1.0  <Build 1>
>>>            Rules Object: chat  Version 1.0  <Build 1>
>>>            Rules Object: exploit  Version 1.0  <Build 1>
>>>            Rules Object: bad-traffic  Version 1.0  <Build 1>
>>>            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
>>>            Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
>>>            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
>>>            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
>>>            Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
>>>            Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
>>>            Preprocessor Object: SF_Dynamic_Example_Preprocessor
>  Version 1.0
>>> <Build 1>
>>>            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
>>>
>>>
>>> So it is working. BUt I could not dump the files. And there is no
> error.
>>>
>>> Thanks.
>>>
>>> hdemir.
>>>
>>> Steven Sturges wrote:
>>>> Pretty sure you need an = between the option and the path, ie.
>>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/
>>>> Husnu Demir wrote:
>>>>> Hi People,
>>>>>
>>>>>
>>>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
> command is not
>>>>> working properly.
>>>>>
>>>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
>>>>> Running in Rule Dump mode
>>>>>
>>>>>         --== Initializing Snort ==--
>>>>> Initializing Output Plugins!
>>>>> Snort BPF option: /tmp
>>>>> ERROR: snort.c(5049) Please specify the directory path for
> dumping the dynamic rules
>>>>> Fatal Error, Quitting..
>>>>>
>>>>>
>>>>>
>>>>> When I try
>>>>>
>>>>> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
>>>>> Running in Rule Dump mode
>>>>>
>>>>>         --== Initializing Snort ==--
>>>>> Initializing Output Plugins!
>>>>> Dumping dynamic rules...
>>>>>   Finished dumping dynamic rules.
>>>>> Snort exiting
>>>>>
>>>>> ls /tmp
>>>>> total 0
>>>>>
>>>>>
>>>>>
>>>>> My snort config ..
>>>>>
>>>>> snips..
>>>>> ..
>>>>>
>>>>> dynamicdetection directory
> /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
>>>>> ..
>>>>>
>>>>>
>>>>> uname -a
>>>>> Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009
> x86_64 GNU/Linux
>>>>>
>>>>> Also I used precompiled Ubuntu 8.04 rules.so.
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> hdemir.
>>>>>
>>>>> I used
>>>>
> ------------------------------------------------------------------------
>>>>
> ------------------------------------------------------------------------------
>>>> This SF.Net email is sponsored by the Verizon Developer Community
>>>> Take advantage of Verizon's best-in-class app development support
>>>> A streamlined, 14 day to market process makes app distribution
> fast and easy
>>>> Join now and get one step closer to millions of Verizon customers
>>>> http://p.sf.net/sfu/verizon-dev2dev
>>>
>>>>
> ------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
> <mailto:Snort-devel at lists.sourceforge.net>
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 

- ------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast
and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
<mailto:Snort-devel at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-devel




> -- 
> Matthew Watchinski
> Sr. Director Vulnerability Research Team (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksyNt0ACgkQHgR50XBBy+lpSgCfRb+HKbwbL0jHg/QjI1mF7h2S
q5gAn264sQwwhnPcdhbimM8qjMAqu41x
=fYPu
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hdemir.vcf
Type: text/x-vcard
Size: 162 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20091223/0363fd9c/attachment.vcf>


More information about the Snort-devel mailing list