[Snort-devel] Snort 2.9.3.1 so rules seems not working

Paul Tsang paul.tsang at ...3356...
Tue Jan 8 22:27:46 EST 2013


Dear develop team,

 

I have install snort 2.9.3.1 with barnyard2 successfully. 

Here is my install snort: 

./configure 

make

make install

 

1.       When I only enable rule, using Nessus Scan, there are alert
(like: SQL union select - possible sql injection attempt - GET parameter.)

2.       When I only enable so rule, using Nessus Scan, there NO alert.

Bellowing is the step to enable so rule:

cp so_rules/precompiled/Centos-5-4/x86-64/2.9.3.1/*
/usr/local/lib/snort_dynamicrule

Change snort.conf 

2.1   Make sure the dynamic preprocessor and dynamic engine paths are

a.       dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor

b.      dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

        2.2  Make sure the path to the location of the shared object rules
is

c.       dynamicdetection directory /usr/local/lib/snort_dynamicrule

 

        2.3  Dump the stub rules by issuing the command:

d.      snort -c /usr/local/etc/snort/snort.conf
--dump-dynamic-rules=/usr/local/etc/snort/so_rules

 

        2.4. Dump the stub rules by issuing the command: (run ok)

 snort -c  /etc/snort/snort.conf --dump-dynamic-rules= /snort/so_rules

 

Attached with my snort configuration file. Please provide me the
suggestion, what is going on my so rule and provide the solution. Thanks!

 

Best regards, 

Paul Tsang 
Assistant Security Consultant

Security Services

CITIC Telecom International CPC Limited

20/F, Lincoln House, Taikoo Place, 979 King's Road, Quarry Bay, Hong Kong 
D: (852) 2170 2529   F: (852) 2795 1262

E:  <mailto:eric.chan at ...3356...> paul.tsang at ...3356...   W:
www.citictel-cpc.com 


Email Disclaimer
The information contained in this e-mail (and attachment(s)) is
confidential and is intended solely for the addressee.  If you are not the
intended recipient, please notify the sender immediately and delete this
e-mail from your system.  Any unauthorised use, disclosure, copying,
printing, forwarding or dissemination of or dealing with any part of this
information is prohibited.  CITIC Telecom International CPC Limited does
not bear any responsibility for the contents of any e-mail transmitted by
its staff for any reason other than bona fide business purposes.  Any
information that is not transmitted via secure, tamper-proof technology
should not be relied upon, unless advised or agreed otherwise in writing
by an authorised representative of the Company.  As information sent under
e-mail could be intercepted, corrupted, lost, destroyed, incomplete, or
could arrive late or contain viruses, the Company does not accept
liability or obligation for any errors or omissions in the contents of
this e-mail (and attachment(s)), which arise as result of email
transmission.  Where applicable, if the sender sends this e-mail as an
agent for a principal (disclosed or otherwise), all rights of such
principal regarding confidentiality, non-disclosure and privilege against
the recipient are hereby reserved. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130109/e6202c18/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 29460 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130109/e6202c18/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.conf.log
Type: application/octet-stream
Size: 22923 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130109/e6202c18/attachment.obj>


More information about the Snort-devel mailing list