[Snort-users] Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules

Y M snort at ...15979...
Tue Nov 11 16:23:06 EST 2014


Hmm..The second command will only generate the stub rules (.rules) for the .so rules but not the .so files themselves.

The way PulledPork knows which ones to copy as far as I understand is by reading the version from Snort binary itself or if you have the version explicitly specified in pulledpork.conf. Either ways, I think the distro also plays a role in it. For example, under the so_rules/precompiled/ there is no directory for Ubuntu 14-04 last time I checked, so if the distro is not specified properly PulledPork "may not" be able to copy them. I can verify tomorrow.

YM

Sent from Mobile
________________________________
From: James Lay<mailto:jlay at ...13475...>
Sent: ‎11/‎12/‎2014 12:07 AM
To: Y M<mailto:snort at ...15979...>
Cc: snort-users<mailto:snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork not  generating stub rules

On 2014-11-11 13:52, Y M wrote:
>> To: snort at ...15979...
>> Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork
> not generating stub rules
>> Date: Tue, 11 Nov 2014 13:46:41 -0700
>> From: jlay at ...13475...
>> CC: snort-users at lists.sourceforge.net
>>
>> On 2014-11-11 13:43, Y M wrote:
>> >> To: snort-users at lists.sourceforge.net
>> >> Date: Tue, 11 Nov 2014 13:37:26 -0700
>> >> From: jlay at ...13475...
>> >> Subject: Re: [Snort-users] Upgrade to 2.9.7.0 results in
> Pulledpork
>> > not generating stub rules
>> >>
>> >> On 2014-11-11 13:33, Joel Esler (jesler) wrote:
>> >> > Looks like you are trying to use 2962 rules with 2970 or
>> > something.
>> >> >
>> >> > --
>> >> > JOEL ESLER Sent from my iPhone
>> >> >
>> >> > On Nov 11, 2014, at 3:12 PM, James Lay
> <jlay at ...13475...
>> >> > [6]>
>> >> > wrote:
>> >> >
>> >> >> Topic says it:
>> >> >>
>> >> >> Generating Stub Rules....
>> >> >> An error occurred: WARNING: No dynamic libraries found in
>> >> >> directory /usr/local/lib/snort_dynamicrules.
>> >> >>
>> >> >> Indeed after clearing out snort_dynamicrules after:
>> >> >>
>> >> >> An error occurred: ERROR: The dynamic detection library
>> >> >> "/usr/local/lib/snort_dynamicrules/web-activex.so" version 1.0
>> >> >> compiled
>> >> >> with dynamic engine library version 2.1 isn't compatible with
> the
>> >> >> current dynamic engine library
>> >> >> "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version
> 2.4.
>> >> >>
>> >> >> I'm using VRT ruleset...has something changes since 2.9.6.2?
>> > Thank
>> >> >> you.
>> >> >>
>> >> >> James
>> >> >>
>> >>
>> >> Maybe I need to blow out the rules....my pp run shows:
>> >>
>> >> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
>> >> Rules tarball download of snortrules-snapshot-2970.tar.gz....
>> >>
>> >> So not sure at this point...I'll try nuking the rules..thanks for
>> >> looking Joel.
>> >>
>> >> James
>> >
>> > Try manually deleting the old .so rules and then copy the new
> ones.
>> > Thats what I did on the dev box and it was a smooth upgrade.
>> >
>> > YM
>>
>> Thanks YM..can you refresh my memory on how to create the so rules
>> manually? Been using PP too long I guess :) Thanks again.
>>
>> James
>
> They should be included in the rules tarball itself:
>
> cp so_rules/precompiled/<distro>/<archi>/2.9.7.0/*
> /snort/path/lib/snort_dynamicrules/
>
> or if your want to just generate the stub files:
>
> /usr/local/bin/snort -c /usr/local/etc/snort.conf
> --dump-dynamic-rules=/tmp
>
> YM

Thanks YM...I had to copy them since it didn't look like generating
them actually created so, just precomp:

Running in Rule Dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "external.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 8080 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:24 26:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 25 80 8080 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
    Search-Method = AC-Full-Q
     Split Any/Any group = enabled
     Search-Method-Optimizations = enabled
     Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory
/usr/local/lib/snort_dynamicrules.
   Finished Loading all dynamic detection libs from
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from
/usr/local/lib/snort_dynamicpreprocessor/...
   Loading dynamic preprocessor library
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done

I think I'm missing a step, but I'm gonna roll with it...I don't think
my pp is correctly creating the the so rules. :(

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141112/2e099cd9/attachment.html>


More information about the Snort-users mailing list