[Snort-users] Shared Object Rules not properly recognized by Snort

Patrick Mullen pmullen at ...1935...
Fri Jul 26 13:25:11 EDT 2013


Quentin,

You need to make sure that both the shared object (.so) files are
loaded and the generated .rules files are loaded by snort.  The .rules
files are loaded just like any other rules file ("include
$SO_RULES_PATH/web-client.rules" , for example) and the shared object
(.so) files are loaded using the configuration line "dynamicdetection
directory /path/to/shared/object/rules".

You should get a warning on startup if one but not both of those items
are configured correctly.  You may also get a warning or even an error
if neither of them are set up correctly, but it depends on how
incorrectly you configured them.


Thanks,

~Patrick

On Fri, Jul 26, 2013 at 8:10 AM, Quentin-Edouard Lutun
<quentinedouard.lutun at ...11827...> wrote:
> Hi, I am running on Snort V2.9.4.5 (64bit) and i tries to implement Shared
> Object Rules. I don't know why but after several attempts, Snort is unable
> to raise any intrusion events... All SO rules are loaded properly and set
> enabled on the configuration file and the same rules in simple/basic format
> are recognized correctly and reported by Snort. I also test to create a
> simple one via the VRT SO RULES generator provided by the website and i have
> got the same problem.... this latter is raised in basic format but not like
> a compiled rule...
>
>
> Any helps or advices would be grateful, Thanks a lot. Quentin.
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT




More information about the Snort-users mailing list