[Snort-users] command line options...

waldo kitty wkitty42 at ...14940...
Sat Sep 25 23:37:23 EDT 2010


On 9/25/2010 21:07, Joel Esler wrote:
> The rest of the email I'll answer, if I can, when I am on my laptop.
>
> However, this part, dynamic does not mean "shared object". Two different things. Dynamic here means dynamic and activate rules. A depreciated rule chaining system that has been replaced by flowbits.

ahhhh... thanks for that... i was rather confused about it because several 
places in documentation/logs/config_notes use the term "dynamic rules" and 
similar in relation to the SO rules stuff...

for example:
Sep 25 21:20:09 perseus snort[6858]: Loading all dynamic detection libs from 
/usr/lib/snort_dynamicrules...
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/bad-traffic.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/chat.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/dos.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/exploit.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/icmp.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/imap.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/misc.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/multimedia.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/netbios.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/nntp.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/p2p.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/pop3.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/smtp.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/sql.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/web-activex.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/web-client.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/web-iis.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Loading dynamic detection library 
/usr/lib/snort_dynamicrules/web-misc.so...
Sep 25 21:20:09 perseus snort[6858]: done
Sep 25 21:20:09 perseus snort[6858]:   Finished Loading all dynamic detection 
libs from /usr/lib/snort_dynamicrules

none of those existed until i installed and enabled the SO rules...

i take it that there's no specific counter that tells how many SO rules are in 
operation? it would be nice to see that stat as well as one for the normal text 
based rules ;)



ALSO: i've been seeing the following in my logs for several months (at least) 
since implementing the SO rules...

Encoded Rule Plugin SID: 13416, GID 3 not registered properly. Disabling this rule.

it is in dos.rules :)




More information about the Snort-users mailing list