[Snort-users] Error when dumping so_rules with custom path using snort

waldo kitty wkitty42 at ...14940...
Mon Nov 3 14:45:06 EST 2014

On 11/3/2014 11:38 AM, Sec_Aficionado wrote:
> OK, I solved the problem.
> My snort.conf file had a line in section 9 (SO rules) saying this:
> *include $SO_RULE_PATH/so_rules.rules*
> This file (so_rules.rules) did not exist, however, because I was dumping the
> rules for the first time in this machine. That caused the problem.
> I issued the command:
> *touch so_rules.rules*
> in that directory and then snort was able to dump the rules without a problem.

excellent! glad that you found the problem... IIRC, on the system we have, we 
had something similar and adjusted our steps so that the entry for that file 
wasn't done until after we had dumped the stubs... that was several years ago, 
though, so my memory of that is a little foggy...

using the shared object rules has always been problematic in our environment due 
to them needing to be compiled and we don't offer those or system updates every 
time the rules are updated or changed... especially since our environment is a 
stripped system to provide an extremely small attack surface and thus no 
compiler is available on live systems... only dev systems have that luxury ;)

  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list