[Snort-users] Snort not loading dynamic rules?

Seth Art sethsec at ...11827...
Fri Feb 12 12:03:17 EST 2010


How about a feature request to show in that same output how many
shared object rules are running?  Right after the "preprocessor rules"
would be a good place I think.

When I first tested with so_rules last year I remember having similar
confusion.  I ended up doing exactly what Joel recommended here to
confirm that they were in fact loaded.

-Seth




On Thu, Feb 11, 2010 at 11:09 AM, Ryan Jordan
<ryan.jordan at ...1935...> wrote:
> I believe Dynamic rules have largely been replaced by rules with Flowbits.
>
> On Wed, Feb 10, 2010 at 5:23 PM, Joel Esler <jesler at ...1935...> wrote:
>> I think you pasted the same thing twice.
>> Dynamic rules, as listed below, are the "Activate/Dynamic" rules.  not the
>> SO rules.  Therefore, if you don't have Dynamic rules, it will always read
>> 0.  VRT ships zero Dynamic rules.  So, if you are running the VRT ruleset,
>> you will have 0 there.
>> Matter of fact, I don't think anyone ships dynamic rules.  I don't know
>> anyone that uses them.  (Not saying there isn't, I've just never ran across
>> them)
>> J
>> On Feb 10, 2010, at 5:01 PM, Andy Berryman wrote:
>>
>> Commented out the so.rules and it worked for that.
>>
>> Feb 10 21:25:44 (none) snort[28150]:
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Feb 10 21:25:44 (none) snort[28150]: Initializing rule chains...
>> Feb 10 21:26:00 (none) snort[28150]: 5660 Snort rules read
>> Feb 10 21:26:00 (none) snort[28150]:     5418 detection rules
>> Feb 10 21:26:00 (none) snort[28150]:     65 decoder rules
>> Feb 10 21:26:00 (none) snort[28150]:     177 preprocessor rules
>> Feb 10 21:26:00 (none) snort[28150]: 5660 Option Chains linked into 595
>> Chain Headers
>> Feb 10 21:26:00 (none) snort[28150]: 0 Dynamic rules
>> Feb 10 21:26:00 (none) snort[28150]: +++++++++++++++++++
>>
>>
>> Commented back in:
>>
>> Feb 10 21:25:44 (none) snort[28150]:
>> +++++++++++++++++++++++++++++++++++++++++++++++++++
>> Feb 10 21:25:44 (none) snort[28150]: Initializing rule chains...
>> Feb 10 21:26:00 (none) snort[28150]: 5660 Snort rules read
>> Feb 10 21:26:00 (none) snort[28150]:     5418 detection rules
>> Feb 10 21:26:00 (none) snort[28150]:     65 decoder rules
>> Feb 10 21:26:00 (none) snort[28150]:     177 preprocessor rules
>> Feb 10 21:26:00 (none) snort[28150]: 5660 Option Chains linked into 595
>> Chain Headers
>> Feb 10 21:26:00 (none) snort[28150]: 0 Dynamic rules
>> Feb 10 21:26:00 (none) snort[28150]: +++++++++++++++++++
>>
>>
>> So, what you're getting at is the Dynamic rules will always show zero. Is
>> there a real way to tell if they were loaded? Or is that what commenting out
>> the stub rules(so_rules) does?
>>
>> Andy
>>
>> From: Joel Esler [mailto:jesler at ...1935...]
>> Sent: Wednesday, February 10, 2010 3:19 PM
>> To: Andy Berryman
>> Cc: snort-users at lists.sourceforge.net List
>> Subject: Re: [Snort-users] Snort not loading dynamic rules?
>>
>> Andy,
>>
>> Just talked to someone in dev.  The "Dynamic Rules" are the
>> 'activate/dynamic' kind.  Which are not the Shared Object kind.
>>
>> But to your below point, comment out the stub rules in your snort.conf.  The
>> lines you have that use "SORULE_PATH"
>>
>> J
>>
>> ________________________________
>> This message from Cymtec Systems, Inc. contains confidential information and
>> is solely for the use of the recipient(s) named above. If you are not the
>> intended recipient or an agent responsible for delivering it to the intended
>> recipient, you are hereby notified that you have received this message in
>> error and that any review, disclosure, copying, distribution or use of the
>> contents of this message is strictly prohibited. If you have received this
>> message in error, please destroy it immediately and notify Cymtec Systems,
>> Inc. by telephone at +1.314.993.8700 or by return e-mail.
>> ________________________________
>>
>>
>> --
>> Joel Esler
>> 302-223-5974
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
>> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
>> http://p.sf.net/sfu/solaris-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> SOLARIS 10 is the OS for Data Centers - provides features such as DTrace,
> Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW
> http://p.sf.net/sfu/solaris-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list