[Snort-users] Snort not loading dynamic rules?

Joel Esler jesler at ...1935...
Wed Feb 10 16:18:48 EST 2010


Andy,

Just talked to someone in dev.  The "Dynamic Rules" are the 'activate/dynamic' kind.  Which are not the Shared Object kind.  

But to your below point, comment out the stub rules in your snort.conf.  The lines you have that use "SORULE_PATH"

J

On Feb 10, 2010, at 4:03 PM, Andy Berryman wrote:

> Commented them out in snort.conf:
>  
> #dynamicdetection directory /cf2/cymtec/scout/snort_lib/snort_dynamicrules
>  
>  
> Restarted snort.
>  
>  
> Feb 10 20:41:40 (none) snort[25797]:
> Feb 10 20:41:40 (none) snort[25797]: +++++++++++++++++++++++++++++++++++++++++++++++++++
> Feb 10 20:41:40 (none) snort[25797]: Initializing rule chains...
> Feb 10 20:41:57 (none) snort[25797]: 6154 Snort rules read
> Feb 10 20:41:57 (none) snort[25797]:     5912 detection rules
> Feb 10 20:41:57 (none) snort[25797]:     65 decoder rules
> Feb 10 20:41:57 (none) snort[25797]:     177 preprocessor rules
> Feb 10 20:41:57 (none) snort[25797]: 6154 Option Chains linked into 624 Chain Headers
> Feb 10 20:41:57 (none) snort[25797]: 0 Dynamic rules
> Feb 10 20:41:57 (none) snort[25797]: +++++++++++++++++++++++++++++++++++++++++++++++++++
>  
> Went back into snort.conf and put the line back in:
>  
> dynamicdetection directory /cf2/cymtec/scout/snort_lib/snort_dynamicrules
>  
> Restarted snort:
>  
> Feb 10 20:42:56 (none) snort[25870]: +++++++++++++++++++++++++++++++++++++++++++++++++++
> Feb 10 20:42:56 (none) snort[25870]: Initializing rule chains...
> Feb 10 20:43:12 (none) snort[25870]: 6154 Snort rules read
> Feb 10 20:43:12 (none) snort[25870]:     5912 detection rules
> Feb 10 20:43:12 (none) snort[25870]:     65 decoder rules
> Feb 10 20:43:12 (none) snort[25870]:     177 preprocessor rules
> Feb 10 20:43:12 (none) snort[25870]: 6154 Option Chains linked into 624 Chain Headers
> Feb 10 20:43:12 (none) snort[25870]: 0 Dynamic rules
> Feb 10 20:43:12 (none) snort[25870]: +++++++++++++++++++++++++++++++++++++++++++++++++++
>  
>  
> Thanks,
> Andy
>  
>  
> From: Joel Esler [mailto:jesler at ...1935...] 
> Sent: Wednesday, February 10, 2010 2:56 PM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net; Joshua Polsky
> Subject: Re: [Snort-users] Snort not loading dynamic rules?
>  
> My Snort says "0 Dynamic Rules" as well, but I know it's loading them, since I am getting alerts from them.
>  
> Try commenting them out in the snort.conf and look at this number:
>  
> 6154 Snort rules read
>  
> Then turn them back on and look at the number again.
>  
> J
>  
> On Feb 10, 2010, at 3:46 PM, Andy Berryman wrote:
> 
> 
> I thought I read somewhere that when it says it loaded 0 dynamic rules that it really didn't mean anything. I'm just trying to double check myself to make sure it wasn't a dream.
>  
> When I start snort and tail syslog I get this
>  
> 0998]: Initializing rule chains...
> Feb 10 19:11:49 (none) snort[20998]: 6154 Snort rules read
> Feb 10 19:11:49 (none) snort[20998]:     5912 detection rules
> Feb 10 19:11:49 (none) snort[20998]:     65 decoder rules
> Feb 10 19:11:49 (none) snort[20998]:     177 preprocessor rules
> Feb 10 19:11:49 (none) snort[20998]: 6154 Option Chains linked into 624 Chain Headers
> Feb 10 19:11:49 (none) snort[20998]: 0 Dynamic rules
>  
>  
> I have my so.rules in my snort.conf
>  
> dynamicdetection directory /snort_lib/snort_dynamicrules
> dynamicpreprocessor directory /snort_lib/snort_dynamicpreprocessor
> dynamicengine directory /snort_lib/snort_dynamicengine
>  
> var RULE_PATH /snort/conf
>  
>  
> include $RULE_PATH/so.rules
> include $RULE_PATH/preprocessor.rules
> include $RULE_PATH/decoder.rules
>  
> I dump all the dynamic rules from snort_dynamicrules to the so_rules then I go into each of the directories it creates and copy the rules to a single so.rules file. 
> I do this so I have a somewhat clean snort.conf file
>  
> Is it a problem that I have all the so_rules in a single so.rules file?
>  
> Or do they need to be like this:
> include $SORULE_PATH/bad-traffic.rules
> include $SORULE_PATH/chat.rules
> include $SORULE_PATH/dos.rules
> include $SORULE_PATH/exploit.rules
> include $SORULE_PATH/imap.rules
> include $SORULE_PATH/misc.rules
> include $SORULE_PATH/multimedia.rules
> include $SORULE_PATH/netbios.rules
> include $SORULE_PATH/nntp.rules
> include $SORULE_PATH/p2p.rules
> include $SORULE_PATH/smtp.rules
> include $SORULE_PATH/sql.rules
> include $SORULE_PATH/web-client.rules
> include $SORULE_PATH/web-misc.rules
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> Thanks,
> Andy Berryman
>  
> This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
> --
> Joel Esler
> 302-223-5974
>  
>  
> 
> 
>  
> This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail.
>  

--
Joel Esler
302-223-5974





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100210/50e5dacd/attachment.html>


More information about the Snort-users mailing list