[Snort-users] [Snort-sigs] VRT SO Rules for FreeBSD/amd64

Michael Scheidell michael.scheidell at ...8144...
Mon Feb 7 14:00:35 EST 2011


this is why its so confusing.  and, I don't think this really works.  I 
have tried, several times over the years, and gave up long ago on so_rules.

on the web site, it says: (is this wrong?)


      Using VRT Certified Shared Object Rules

In order to instantiate shared object rules, a rule stub file is 
required. These stub files are not distributed in the VRT Certified rule 
packs, however they can be generated using snort.

Here is an example showing the pertinent configuration options in 
snort.conf along with the command line option required to generate the 
stub files. In some installations, the files may well reside in /etc/, 
this example uses /usr/local/etc as the location for the configuration 
files.

In snort.conf First set up some global variables:

var CONF_PATH /usr/local/etc/snort
var LIB_PATH /usr/local/lib
var SORULE_PATH $CONF_PATH/so_rules


Dynamic preprocessor and dynamic engine information:

dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor
dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so


Here is the configuration option that lists the location of the shared 
object files that snort is to use:

dynamicdetection directory $LIB_PATH/snort_dynamicrule


      Dumping the rules

To dump the rule stub files into the required location the 
--dump-dynamic-rules option is used like so:

snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/usr/local/etc/snort/so_rules


This command tells snort to use the snort.conf file where it will find 
the dynamic rule files (thanks to the configuration options above) and 
then use those files to generate the stub files and put them into 
/usr/local/etc/snort/so_rules/

After this is complete, the rule files appear in the directory.

# ls /usr/local/etc/snort/so_rules/
bad-traffic.rules  imap.rules        nntp.rules  web-client.rules
chat.rules         misc.rules        p2p.rules   web-misc.rules
dos.rules          multimedia.rules  smtp.rules
exploit.rules      netbios.rules     sql.rules




I do that, and this happens:

scanner2.secnap.com# snort -c /usr/local/etc/snort/snort.conf 
--dump-dynamic-rules=/usr/local/etc/snort/so_rules
Running in Rule Dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort/snort.conf"

[snip]
WARNING: ip4 normalizations disabled because not inlineWARNING: tcp 
normalizations disabled because not inlineWARNING: icmp4 normalizations 
disabled because not inlineFrag3 global config:
[snip]

Dumping dynamic rules...
   Finished dumping dynamic rules.
Snort exiting

scanner2.secnap.com# pwd
/usr/local/etc/snort

cd /usr/local/etc/snort/so_rules

scanner2.secnap.com# ls

cd /usr/local/etc/snort/so_rules
/usr/local/etc/snort/so_rules: No such file or directory.
scanner2.secnap.com# mkdir /usr/local/etc/snort/so_rules
scanner2.secnap.com# snort -c /usr/local/etc/snort/snort.conf 
--dump-dynamic-rules=/usr/local/etc/snort/so_rules
Running in Rule Dump mode

still nothing there.


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110207/97dc5612/attachment.html>


More information about the Snort-users mailing list