[Snort-users] Missing shared object files in snapshot download file

greg.mcnathansonsnuf003 at ...16876... greg.mcnathansonsnuf003 at ...16876...
Sat Aug 23 17:05:12 EDT 2014

Ah ok, I see.
Thank you for your help YM.

Gesendet: Samstag, 23. August 2014 um 21:55 Uhr
Von: "Y M" <snort at ...15979...>
An: "greg.mcnathansonsnuf003 at ...16876..." <greg.mcnathansonsnuf003 at ...979...16876...>
Cc: snort-users <snort-users at lists.sourceforge.net>
Betreff: RE: [Snort-users] Missing shared object files in snapshot download file

Which version/date of the rules are you running?
The reason I am asking is this:
The ruleset released until the 19 August contained the new the shared objected categories:

dev at ...1900...:/tmp# ls -l old/snortrules-snapshot-2962.tar.gz 
-rwxrwxrwx 1 dev dev 33080965 Aug 21 10:34 snortrules-snapshot-2962.tar.gz
dev at ...1900...:/tmp$ md5sum old/snortrules-snapshot-2962.tar.gz
The ruleset released on the 21 August was stripped out of these new shared object rules:

dev at ...1900...:/tmp# ls -l new/snortrules-snapshot-2962.tar.gz 
-rwxrwxrwx 1 dev dev 25374704 Aug 21 10:34 snortrules-snapshot-2962.tar.gz
dev at ...1900...:/tmp$ md5sum new/snortrules-snapshot-2962.tar.gz 
9ddb9552995f5c637d11d690623bf414  snortrules-snapshot-2962.tar.gz
Note the size difference. This is also evident if you list (ls -l) the so_rules directory of both rulesets. The old one definitely contains the categories as specified by the blog post, the newer one does not. If your rules stubs are individually included in snort.conf rather than the all-one-file (snort.rules) as generated by PulledPork, then the above could be the reason.
> From: greg.mcnathansonsnuf003 at ...16876...
> To: snort-users at lists.sourceforge.net
> Date: Sat, 23 Aug 2014 19:48:30 +0200
> Subject: [Snort-users] Missing shared object files in snapshot download file
> I read about the reconstruction of shared object rules in the blog. So I'm confused about the missing file report. (see below)
> ....
> Aug 23 19:22:40 c1 snort[801]: FATAL ERROR: /etc/snort//etc/snort/so_rules/browser-other.rules(0) Unable to open rules file "/etc/snort//etc/snort/so_rules/browser-other.rules": No such file or directo
> Aug 23 19:22:40 c1 snort[796]: Starting snort: [FAILED]
> Aug 23 19:22:40 c1 snort[805]: Stopping snort: [FAILED]
> Aug 23 19:22:40 c1 systemd[1]: Started Snort IDS system.
> ...
> The stub file couldn't be generated because the browser-other.so file isn't delivered in the latest snapshot download file.
> There are more files missing not only browser-other.so. I expected all files listed in the blog to be included in the snapshot download file.
> Is this a planned measurement of the reconstruction of shared object rules?
> Greg
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds. Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users[https://lists.sourceforge.net/lists/listinfo/snort-users]
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users[http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users]
> Please visit http://blog.snort.org[http://blog.snort.org] to stay current on all the latest Snort news!

More information about the Snort-users mailing list