[Snort-users] Error running snort

AllowOverride allowoverride at ...11827...
Thu Oct 11 15:37:56 EDT 2012


Hi joel, i see 12.04 i386/x86-64, cool. just wondering where they are
listed by directory in so_rules. ill look for them. i mentioned before,
as the so_rules i downloaded they were not higher than 10.04...odd..

ill keep looking. thanks

On Thu, 2012-10-11 at 07:19 -0400, Joel Esler wrote:
> Platforms supported:
> 
> 
> https://www.snort.org/snort-rules/shared-object-rules
> 
> --
> Joel Esler
> Sent from my iPad 
> 
> On Oct 11, 2012, at 3:40 AM, AllowOverride <allowoverride at ...11827...>
> wrote:
> 
> 
> > my so_rules complained. they are not in the config. i can see there
> > is a
> > reason for them. in the past is not today, and there is no 10.04
> > so_rules i can see/find/gather.
> > 
> > ill read in time, just got stuck with a bunch of little things, some
> > my
> > fault. i fixed most of it. its working, still trying to figure out
> > base
> > issue, i hesitate to say bug now.
> > 
> > im looking at vbox guest iso of seconion, seems pretty bloated, runs
> > slow even set with 3.5 gigs of mem on the host dedicated to it.
> > however, i plan to look more into /etc/nsm.
> > 
> > thats all for now... thanks every for your help. i muddle through
> > some
> > docs in my spare time.
> > 
> > l8
> > 
> > On Wed, 2012-10-10 at 16:08 -0600, Jefferson, Shawn wrote:
> > > Hi,
> > > 
> > > Compiled rules (so_rules) are covered in the manuals and blogs in
> > > some depth, however, since I know you don't like to RTFM ;)
> > > (actually I *do* suggest you go to the snort blog and VRT blog and
> > > lookup posts about so_rules and read them in your spare time...),
> > > basically they are pre-compiled rules that either require more
> > > processing than text rules require, or there is some reason to
> > > obscure what the rule is looking for (due to NDAs that SourceFire
> > > has with vendors, or hide things from badguys, etc...)  That's my
> > > understanding of so_rules.
> > > 
> > > I would suggest that you get snort and the rest of the tool chain
> > > working first before diving into so_rules.  Pulled pork will
> > > handle so_rules as well... you just need to specify the right
> > > distro/bit-ness.  In the past I've had success using Ubuntu
> > > so_rules for not *quite* the same revision, but you'd need to test
> > > that.
> > > 
> > > It's easy to tell if it's not working, since snort segfaults (or
> > > complains at startup sometimes) if you have the wrong so_rules.
> > >  Sometimes (I've seen this in the past, maybe it doesn't do this
> > > anymore) it doesn't segfault until you get a packet that tries to
> > > hit the so_rule... but the rest of the time it runs happily.
> > > 
> > > 
> > > 
> > > -----Original Message-----
> > > From: AllowOverride [mailto:allowoverride at ...11827...] 
> > > Sent: Wednesday, October 10, 2012 2:58 PM
> > > To: Jefferson, Shawn
> > > Cc: 'fashman2k1 at ...131...'; 'snort-users at lists.sourceforge.net'
> > > Subject: Re: [Snort-users] Error running snort
> > > 
> > > this leads to another issue, so_rules, i did not see ubuntu 12.04
> > > listed, only up to 12.04. is there a updated precompiled rule set
> > > for
> > > 12.04 coming soon, not that i know what they are for, i figure
> > > packets being analyzed should matter what distro it is coming for?
> > > 
> > > i assume the precompiled rules are for base services included in
> > > each linux different distro, thus the need to specify them in the
> > > first place. 
> > > 
> > > dont answer that, i will figure it out, just thinking out loud..
> > > 
> > > 
> > > On Wed, 2012-10-10 at 14:27 -0600, Jefferson, Shawn wrote:
> > > > You have the wrong version of so rules for your distro/os.
> > > > 
> > > > 
> > > > 
> > > > ----- Original Message -----
> > > > From: Akinwale Fasuru <fashman2k1 at ...131...>
> > > > To: snort-users at lists.sourceforge.net 
> > > > <snort-users at lists.sourceforge.net>
> > > > Sent: Wed Oct 10 12:47:43 2012
> > > > Subject: [Snort-users] Error running snort
> > > > 
> > > > Pls i encountered this erro when tring to run snort # snort -c 
> > > > /etc/snort/snort.conf
> > > > 
> > > > ERROR: Failed to
> > > > load /usr/local/lib/snort_dynamicrules/netbios.so: 
> > > > /usr/local/lib/snort_dynamicrules/netbios.so: wrong ELF class: 
> > > > ELFCLASS32
> > > > 
> > > > What can i do?
> > > > 
> > > > Wale
> > > > 
> > > > ----------------------------------------------------------------------
> > > > -------- Don't let slow site performance ruin your business.
> > > > Deploy 
> > > > New Relic APM Deploy New Relic app performance management and
> > > > know 
> > > > exactly what is happening inside your Ruby, Python, PHP, Java,
> > > > and 
> > > > .NET app Try New Relic at no cost today and get our sweet Data
> > > > Nerd 
> > > > shirt too!
> > > > http://p.sf.net/sfu/newrelic-dev2dev
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > 
> > > > Please visit http://blog.snort.org to stay current on all the
> > > > latest Snort news!
> > > > ----------------------------------------------------------------------
> > > > -------- Don't let slow site performance ruin your business.
> > > > Deploy 
> > > > New Relic APM Deploy New Relic app performance management and
> > > > know 
> > > > exactly what is happening inside your Ruby, Python, PHP, Java,
> > > > and 
> > > > .NET app Try New Relic at no cost today and get our sweet Data
> > > > Nerd 
> > > > shirt too!
> > > > http://p.sf.net/sfu/newrelic-dev2dev
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > > 
> > > > Please visit http://blog.snort.org to stay current on all the
> > > > latest Snort news!
> > > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic
> > APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt
> > too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> > 





More information about the Snort-users mailing list