[Snort-users] Error running snort

Joel Esler jesler at ...1935...
Thu Oct 11 07:19:28 EDT 2012


Platforms supported:

https://www.snort.org/snort-rules/shared-object-rules

--
Joel Esler
Sent from my iPad 

On Oct 11, 2012, at 3:40 AM, AllowOverride <allowoverride at ...11827...> wrote:

> my so_rules complained. they are not in the config. i can see there is a
> reason for them. in the past is not today, and there is no 10.04
> so_rules i can see/find/gather.
> 
> ill read in time, just got stuck with a bunch of little things, some my
> fault. i fixed most of it. its working, still trying to figure out base
> issue, i hesitate to say bug now.
> 
> im looking at vbox guest iso of seconion, seems pretty bloated, runs
> slow even set with 3.5 gigs of mem on the host dedicated to it.
> however, i plan to look more into /etc/nsm.
> 
> thats all for now... thanks every for your help. i muddle through some
> docs in my spare time.
> 
> l8
> 
> On Wed, 2012-10-10 at 16:08 -0600, Jefferson, Shawn wrote:
>> Hi,
>> 
>> Compiled rules (so_rules) are covered in the manuals and blogs in some depth, however, since I know you don't like to RTFM ;) (actually I *do* suggest you go to the snort blog and VRT blog and lookup posts about so_rules and read them in your spare time...), basically they are pre-compiled rules that either require more processing than text rules require, or there is some reason to obscure what the rule is looking for (due to NDAs that SourceFire has with vendors, or hide things from badguys, etc...)  That's my understanding of so_rules.
>> 
>> I would suggest that you get snort and the rest of the tool chain working first before diving into so_rules.  Pulled pork will handle so_rules as well... you just need to specify the right distro/bit-ness.  In the past I've had success using Ubuntu so_rules for not *quite* the same revision, but you'd need to test that.
>> 
>> It's easy to tell if it's not working, since snort segfaults (or complains at startup sometimes) if you have the wrong so_rules.  Sometimes (I've seen this in the past, maybe it doesn't do this anymore) it doesn't segfault until you get a packet that tries to hit the so_rule... but the rest of the time it runs happily.
>> 
>> 
>> 
>> -----Original Message-----
>> From: AllowOverride [mailto:allowoverride at ...11827...] 
>> Sent: Wednesday, October 10, 2012 2:58 PM
>> To: Jefferson, Shawn
>> Cc: 'fashman2k1 at ...131...'; 'snort-users at lists.sourceforge.net'
>> Subject: Re: [Snort-users] Error running snort
>> 
>> this leads to another issue, so_rules, i did not see ubuntu 12.04 listed, only up to 12.04. is there a updated precompiled rule set for
>> 12.04 coming soon, not that i know what they are for, i figure packets being analyzed should matter what distro it is coming for?
>> 
>> i assume the precompiled rules are for base services included in each linux different distro, thus the need to specify them in the first place. 
>> 
>> dont answer that, i will figure it out, just thinking out loud..
>> 
>> 
>> On Wed, 2012-10-10 at 14:27 -0600, Jefferson, Shawn wrote:
>>> You have the wrong version of so rules for your distro/os.
>>> 
>>> 
>>> 
>>> ----- Original Message -----
>>> From: Akinwale Fasuru <fashman2k1 at ...131...>
>>> To: snort-users at lists.sourceforge.net 
>>> <snort-users at lists.sourceforge.net>
>>> Sent: Wed Oct 10 12:47:43 2012
>>> Subject: [Snort-users] Error running snort
>>> 
>>> Pls i encountered this erro when tring to run snort # snort -c 
>>> /etc/snort/snort.conf
>>> 
>>> ERROR: Failed to load /usr/local/lib/snort_dynamicrules/netbios.so: 
>>> /usr/local/lib/snort_dynamicrules/netbios.so: wrong ELF class: 
>>> ELFCLASS32
>>> 
>>> What can i do?
>>> 
>>> Wale
>>> 
>>> ----------------------------------------------------------------------
>>> -------- Don't let slow site performance ruin your business. Deploy 
>>> New Relic APM Deploy New Relic app performance management and know 
>>> exactly what is happening inside your Ruby, Python, PHP, Java, and 
>>> .NET app Try New Relic at no cost today and get our sweet Data Nerd 
>>> shirt too!
>>> http://p.sf.net/sfu/newrelic-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>> ----------------------------------------------------------------------
>>> -------- Don't let slow site performance ruin your business. Deploy 
>>> New Relic APM Deploy New Relic app performance management and know 
>>> exactly what is happening inside your Ruby, Python, PHP, Java, and 
>>> .NET app Try New Relic at no cost today and get our sweet Data Nerd 
>>> shirt too!
>>> http://p.sf.net/sfu/newrelic-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121011/20ed3aa0/attachment.html>


More information about the Snort-users mailing list