[Snort-users] Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules

James Lay jlay at ...13475...
Tue Nov 11 16:07:42 EST 2014


On 2014-11-11 13:52, Y M wrote:
>> To: snort at ...15979...
>> Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork
> not generating stub rules
>> Date: Tue, 11 Nov 2014 13:46:41 -0700
>> From: jlay at ...13475...
>> CC: snort-users at lists.sourceforge.net
>>
>> On 2014-11-11 13:43, Y M wrote:
>> >> To: snort-users at lists.sourceforge.net
>> >> Date: Tue, 11 Nov 2014 13:37:26 -0700
>> >> From: jlay at ...13475...
>> >> Subject: Re: [Snort-users] Upgrade to 2.9.7.0 results in
> Pulledpork
>> > not generating stub rules
>> >>
>> >> On 2014-11-11 13:33, Joel Esler (jesler) wrote:
>> >> > Looks like you are trying to use 2962 rules with 2970 or
>> > something.
>> >> >
>> >> > --
>> >> > JOEL ESLER Sent from my iPhone
>> >> >
>> >> > On Nov 11, 2014, at 3:12 PM, James Lay
> <jlay at ...13475...
>> >> > [6]>
>> >> > wrote:
>> >> >
>> >> >> Topic says it:
>> >> >>
>> >> >> Generating Stub Rules....
>> >> >> An error occurred: WARNING: No dynamic libraries found in
>> >> >> directory /usr/local/lib/snort_dynamicrules.
>> >> >>
>> >> >> Indeed after clearing out snort_dynamicrules after:
>> >> >>
>> >> >> An error occurred: ERROR: The dynamic detection library
>> >> >> "/usr/local/lib/snort_dynamicrules/web-activex.so" version 1.0
>> >> >> compiled
>> >> >> with dynamic engine library version 2.1 isn't compatible with
> the
>> >> >> current dynamic engine library
>> >> >> "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version
> 2.4.
>> >> >>
>> >> >> I'm using VRT ruleset...has something changes since 2.9.6.2?
>> > Thank
>> >> >> you.
>> >> >>
>> >> >> James
>> >> >>
>> >>
>> >> Maybe I need to blow out the rules....my pp run shows:
>> >>
>> >> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
>> >> Rules tarball download of snortrules-snapshot-2970.tar.gz....
>> >>
>> >> So not sure at this point...I'll try nuking the rules..thanks for
>> >> looking Joel.
>> >>
>> >> James
>> >
>> > Try manually deleting the old .so rules and then copy the new
> ones.
>> > Thats what I did on the dev box and it was a smooth upgrade.
>> >
>> > YM
>>
>> Thanks YM..can you refresh my memory on how to create the so rules
>> manually? Been using PP too long I guess :) Thanks again.
>>
>> James
>
> They should be included in the rules tarball itself:
>
> cp so_rules/precompiled/<distro>/<archi>/2.9.7.0/*
> /snort/path/lib/snort_dynamicrules/
>
> or if your want to just generate the stub files:
>
> /usr/local/bin/snort -c /usr/local/etc/snort.conf
> --dump-dynamic-rules=/tmp
>
> YM

Thanks YM...I had to copy them since it didn't look like generating 
them actually created so, just precomp:

Running in Rule Dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "external.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 8080 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:24 26:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 25 80 8080 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
    Search-Method = AC-Full-Q
     Split Any/Any group = enabled
     Search-Method-Optimizations = enabled
     Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine 
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from 
/usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory 
/usr/local/lib/snort_dynamicrules.
   Finished Loading all dynamic detection libs from 
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from 
/usr/local/lib/snort_dynamicpreprocessor/...
   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done

I think I'm missing a step, but I'm gonna roll with it...I don't think 
my pp is correctly creating the the so rules. :(

James




More information about the Snort-users mailing list