[Snort-users] Missing shared object files in snapshot download file

Y M snort at ...15979...
Sat Aug 23 15:55:01 EDT 2014


Which version/date of the rules are you running?
The reason I am asking is this:
The ruleset released until the 19 August contained the new the shared objected categories:
dev at ...1900...:/tmp# ls -l old/snortrules-snapshot-2962.tar.gz -rwxrwxrwx 1 dev dev 33080965 Aug 21 10:34 snortrules-snapshot-2962.tar.gz
dev at ...1900...:/tmp$ md5sum old/snortrules-snapshot-2962.tar.gz2b84e9aee0f2eaf32e51a1375ec824f5
The ruleset released on the 21 August was stripped out of these new shared object rules:
dev at ...1900...:/tmp# ls -l new/snortrules-snapshot-2962.tar.gz -rwxrwxrwx 1 dev dev 25374704 Aug 21 10:34 snortrules-snapshot-2962.tar.gz
dev at ...1900...:/tmp$ md5sum new/snortrules-snapshot-2962.tar.gz 9ddb9552995f5c637d11d690623bf414  snortrules-snapshot-2962.tar.gz
Note the size difference. This is also evident if you list (ls -l) the so_rules directory of both rulesets. The old one definitely contains the categories as specified by the blog post, the newer one does not. If your rules stubs are individually included in snort.conf rather than the all-one-file (snort.rules) as generated by PulledPork, then the above could be the reason.
YM

> From: greg.mcnathansonsnuf003 at ...16876...
> To: snort-users at lists.sourceforge.net
> Date: Sat, 23 Aug 2014 19:48:30 +0200
> Subject: [Snort-users] Missing shared object files in snapshot download file
> 
> I read about the reconstruction of shared object rules in the blog. So I'm confused about the missing file report. (see below)
> 
> ....
> Aug 23 19:22:40 c1 snort[801]: FATAL ERROR: /etc/snort//etc/snort/so_rules/browser-other.rules(0) Unable to open rules file "/etc/snort//etc/snort/so_rules/browser-other.rules": No such file or directo
> Aug 23 19:22:40 c1 snort[796]: Starting snort: [FAILED]
> Aug 23 19:22:40 c1 snort[805]: Stopping snort: [FAILED]
> Aug 23 19:22:40 c1 systemd[1]: Started Snort IDS system.
> ...
> 
> The stub file couldn't be generated because the browser-other.so file isn't delivered in the latest snapshot download file.
> There are more files missing not only browser-other.so. I expected all files listed in the blog to be included in the snapshot download file.
> 
> Is this a planned measurement of the reconstruction of shared object rules?
> 
> Greg
> 
> 
> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140823/e07e81aa/attachment.html>


More information about the Snort-users mailing list