[Snort-users] Multiple errors on Snort

Anshuman Anil Deshmukh anshuman at ...16510...
Fri Dec 5 05:30:18 EST 2014


Hi,

Some updates to this issue.

I was able to dump the dynamic rules. But then the other error is still not gone hence I am unable to use the so_rules. Somehow the Snort is detecting incorrect path inspite of mentioning the correct path in my config files.

Getting this error-
ERROR: /etc/snort//usr/local/etc/snort/so_rules/bad-traffic.rules(0) Unable to open rules file "/etc/snort//usr/local/etc/snort/so_rules/bad-traffic.rules": No such file or directory.

Following is the configuration for the so rules in my snort.conf

var SO_RULE_PATH /etc/snort/so_rules/

None of these works-
include /usr/local/etc/snort/so_rules/bad-traffic.rules
OR
include $RULE_PATH/bad-traffic.rules.

Before upgrading, explicit path (without the variable) was working properly. Why is it not working with the new version now?

I am giving here information on how dump dynamic rule thing worked after I removed the my old configuration of stream5_global and used the default configuration. But couldn't understand which of the old parameters were the reason for the issue. Just putting it here so that experts can analyze the same.

Previously these were the settings -
preprocessor stream5_global: track_tcp yes, \
memcap 536870912 \
track_udp yes, \
track_icmp no, \
max_tcp 1048576, \
max_udp 524288, \
max_active_responses 2, \
min_response_seconds 5 \
detect_scans \
# Added for performance
dont_store_large_packets \
disable_evasion_alerts timeout 120 \
#Added on 23rd Oct 2013
show_rebuilt_packets

Following resolved the issue-
preprocessor stream5_global: track_tcp yes, \
   track_udp yes, \
   track_icmp no, \
   max_tcp 262144, \
   max_udp 131072, \
   max_active_responses 2, \
   min_response_seconds 5

From: Anshuman Anil Deshmukh [mailto:anshuman at ...16510...]
Sent: Friday, December 5, 2014 11:18 AM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] Multiple errors on Snort

Hi,

I recently upgraded my working setup of Snort from version 2.9.6.1 to version 2.9.7.0. After upgrading I am facing following issues.


1.       I cannot update the so_rules via pulledpork. It's even not working when if I try to dump the so_rules manually. It is picking up the weired path (same as mentioned in the thread http://seclists.org/snort/2013/q4/126) . It is said in this thread to touch or copy. I couldn't understand what exactly needs to be done. What is the resolution to it. I already copied the required .so files so as to dump dynamic option to work. On which files am I supposed to do the touch?

2.       If I try to disable the so_rule configuration within snort.conf and pulledpork.conf, it gives me error "ERROR: /etc/snort/snort.conf(373) => Too many parameters for option in Session config."

Please suggest what should be done to resolve the issue.


Regards,
Anshuman

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com>

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141205/52711c89/attachment.html>


More information about the Snort-users mailing list