[Snort-users] [Snort-sigs] VRT SO Rules for FreeBSD/amd64

Nigel Houghton nhoughton at ...1935...
Mon Feb 7 14:22:01 EST 2011


On Mon, 7 Feb 2011 14:00:35 -0500, Michael Scheidell wrote:
> this is why its so confusing.  and, I don't think this really works.  
> I have tried, several times over the years, and gave up long ago on 
> so_rules.
> 
> on the web site, it says: (is this wrong?)
> 
> Using VRT Certified Shared Object Rules
> In order to instantiate shared object rules, a rule stub file is 
> required. These stub files are not distributed in the VRT Certified 
> rule packs, however they can be generated using snort.
> 
> Here is an example showing the pertinent configuration options in 
> snort.conf along with the command line option required to generate 
> the stub files. In some installations, the files may well reside in 
> /etc/, this example uses /usr/local/etc as the location for the 
> configuration files.
> In snort.conf First set up some global variables:
> var CONF_PATH /usr/local/etc/snort
> var LIB_PATH /usr/local/lib
> var SORULE_PATH $CONF_PATH/so_rules
> 
> Dynamic preprocessor and dynamic engine information:
> dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor
> dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so
> 
> Here is the configuration option that lists the location of the 
> shared object files that snort is to use:
> 
> dynamicdetection directory $LIB_PATH/snort_dynamicrule
> 
> Dumping the rules
> To dump the rule stub files into the required location the 
> --dump-dynamic-rules option is used like so:
> snort -c /usr/local/etc/snort/snort.conf 
> --dump-dynamic-rules=/usr/local/etc/snort/so_rules
> 
> This command tells snort to use the snort.conf file where it will 
> find the dynamic rule files (thanks to the configuration options 
> above) and then use those files to generate the stub files and put 
> them into /usr/local/etc/snort/so_rules/
> After this is complete, the rule files appear in the directory.
> # ls /usr/local/etc/snort/so_rules/
> bad-traffic.rules  imap.rules        nntp.rules  web-client.rules
> chat.rules         misc.rules        p2p.rules   web-misc.rules
> dos.rules          multimedia.rules  smtp.rules
> exploit.rules      netbios.rules     sql.rules
> 
> 
> 
> I do that, and this happens:
> 
> scanner2.secnap.com# snort -c /usr/local/etc/snort/snort.conf 
> --dump-dynamic-rules=/usr/local/etc/snort/so_rules
> Running in Rule Dump mode
> 
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Initializing Preprocessors!
> Initializing Plug-ins!
> Parsing Rules file "/usr/local/etc/snort/snort.conf"
> 
> [snip]
> WARNING: ip4 normalizations disabled because not inlineWARNING: tcp 
> normalizations disabled because not inlineWARNING: icmp4 
> normalizations disabled because not inlineFrag3 global config:
> [snip]
> 
> Dumping dynamic rules...
>   Finished dumping dynamic rules.
> Snort exiting
> 
> scanner2.secnap.com# pwd
> /usr/local/etc/snort
> 
> cd /usr/local/etc/snort/so_rules
> 
> scanner2.secnap.com# ls
> 
> cd /usr/local/etc/snort/so_rules
> /usr/local/etc/snort/so_rules: No such file or directory.
> scanner2.secnap.com# mkdir /usr/local/etc/snort/so_rules
> scanner2.secnap.com# snort -c /usr/local/etc/snort/snort.conf 
> --dump-dynamic-rules=/usr/local/etc/snort/so_rules
> Running in Rule Dump mode
> 
> still nothing there.

We'll take a look at the --dump-dynamic-rules option.

The website text is out of date though, as part of the shared object 
rule build process, the rule stubs are generated and shipped with the 
tar balls. Have been for some time, it prevents the problems some folks 
were having when trying to dump so rule stubs or forgetting to do so.

That said, the option above should work.

--
Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/




More information about the Snort-users mailing list