[Snort-users] Snort not loading dynamic rules?

Ryan Jordan ryan.jordan at ...1935...
Thu Feb 11 11:09:02 EST 2010


I believe Dynamic rules have largely been replaced by rules with Flowbits.

On Wed, Feb 10, 2010 at 5:23 PM, Joel Esler <jesler at ...1935...> wrote:
> I think you pasted the same thing twice.
> Dynamic rules, as listed below, are the "Activate/Dynamic" rules.  not the
> SO rules.  Therefore, if you don't have Dynamic rules, it will always read
> 0.  VRT ships zero Dynamic rules.  So, if you are running the VRT ruleset,
> you will have 0 there.
> Matter of fact, I don't think anyone ships dynamic rules.  I don't know
> anyone that uses them.  (Not saying there isn't, I've just never ran across
> them)
> J
> On Feb 10, 2010, at 5:01 PM, Andy Berryman wrote:
>
> Commented out the so.rules and it worked for that.
>
> Feb 10 21:25:44 (none) snort[28150]:
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Feb 10 21:25:44 (none) snort[28150]: Initializing rule chains...
> Feb 10 21:26:00 (none) snort[28150]: 5660 Snort rules read
> Feb 10 21:26:00 (none) snort[28150]:     5418 detection rules
> Feb 10 21:26:00 (none) snort[28150]:     65 decoder rules
> Feb 10 21:26:00 (none) snort[28150]:     177 preprocessor rules
> Feb 10 21:26:00 (none) snort[28150]: 5660 Option Chains linked into 595
> Chain Headers
> Feb 10 21:26:00 (none) snort[28150]: 0 Dynamic rules
> Feb 10 21:26:00 (none) snort[28150]: +++++++++++++++++++
>
>
> Commented back in:
>
> Feb 10 21:25:44 (none) snort[28150]:
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Feb 10 21:25:44 (none) snort[28150]: Initializing rule chains...
> Feb 10 21:26:00 (none) snort[28150]: 5660 Snort rules read
> Feb 10 21:26:00 (none) snort[28150]:     5418 detection rules
> Feb 10 21:26:00 (none) snort[28150]:     65 decoder rules
> Feb 10 21:26:00 (none) snort[28150]:     177 preprocessor rules
> Feb 10 21:26:00 (none) snort[28150]: 5660 Option Chains linked into 595
> Chain Headers
> Feb 10 21:26:00 (none) snort[28150]: 0 Dynamic rules
> Feb 10 21:26:00 (none) snort[28150]: +++++++++++++++++++
>
>
> So, what you're getting at is the Dynamic rules will always show zero. Is
> there a real way to tell if they were loaded? Or is that what commenting out
> the stub rules(so_rules) does?
>
> Andy
>
> From: Joel Esler [mailto:jesler at ...1935...]
> Sent: Wednesday, February 10, 2010 3:19 PM
> To: Andy Berryman
> Cc: snort-users at lists.sourceforge.net List
> Subject: Re: [Snort-users] Snort not loading dynamic rules?
>
> Andy,
>
> Just talked to someone in dev.  The "Dynamic Rules" are the
> 'activate/dynamic' kind.  Which are not the Shared Object kind.
>
> But to your below point, comment out the stub rules in your snort.conf.  The
> lines you have that use "SORULE_PATH"
>
> J
>
> ________________________________
> This message from Cymtec Systems, Inc. contains confidential information and
> is solely for the use of the recipient(s) named above. If you are not the
> intended recipient or an agent responsible for delivering it to the intended
> recipient, you are hereby notified that you have received this message in
> error and that any review, disclosure, copying, distribution or use of the
> contents of this message is strictly prohibited. If you have received this
> message in error, please destroy it immediately and notify Cymtec Systems,
> Inc. by telephone at +1.314.993.8700 or by return e-mail.
> ________________________________
>
>
> --
> Joel Esler
> 302-223-5974
>
>
>
>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list