[Snort-users] Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules

Y M snort at ...15979...
Tue Nov 11 16:36:27 EST 2014


Can you please run PulledPork with -v and copy the output? I recall my output had lines confirming that the .so rules are being copied, including the new .so rules that were formed due to the recent categorization of the .so rules - which I took as a confirmation that it is working. I will cross check the output from your run with mine by tomorrow.

YM

Sent from Mobile
________________________________
From: James Lay<mailto:jlay at ...13475...>
Sent: ‎11/‎12/‎2014 12:23 AM
To: Y M<mailto:snort at ...15979...>
Cc: snort-users<mailto:snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork not  generating stub rules

On 2014-11-11 14:23, Y M wrote:
> Hmm..The second command will only generate the stub rules (.rules)
> for
> the .so rules but not the .so files themselves.
>
>  The way PulledPork knows which ones to copy as far as I understand
> is
> by reading the version from Snort binary itself or if you have the
> version explicitly specified in pulledpork.conf. Either ways, I think
> the distro also plays a role in it. For example, under the
> so_rules/precompiled/ there is no directory for Ubuntu 14-04 last
> time
> I checked, so if the distro is not specified properly PulledPork "may
> not" be able to copy them. I can verify tomorrow.
>
>  YM
>
>  Sent from Mobile
>
> -------------------------
>  From: James Lay [1]
>  Sent: ‎11/‎12/‎2014 12:07 AM
>  To: Y M [2]
>  Cc: snort-users [3]
>  Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork
> not generating stub rules
>
> On 2014-11-11 13:52, Y M wrote:
>  >> To: snort at ...15979...
>  >> Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in
> Pulledpork
>  > not generating stub rules
>  >> Date: Tue, 11 Nov 2014 13:46:41 -0700
>  >> From: jlay at ...13475...
>  >> CC: snort-users at lists.sourceforge.net
>  >>
>  >> On 2014-11-11 13:43, Y M wrote:
>  >> >> To: snort-users at lists.sourceforge.net
>  >> >> Date: Tue, 11 Nov 2014 13:37:26 -0700
>  >> >> From: jlay at ...13475...
>  >> >> Subject: Re: [Snort-users] Upgrade to 2.9.7.0 results in
>  > Pulledpork
>  >> > not generating stub rules
>  >> >>
>  >> >> On 2014-11-11 13:33, Joel Esler (jesler) wrote:
>  >> >> > Looks like you are trying to use 2962 rules with 2970 or
>  >> > something.
>  >> >> >
>  >> >> > --
>  >> >> > JOEL ESLER Sent from my iPhone
>  >> >> >
>  >> >> > On Nov 11, 2014, at 3:12 PM, James Lay
>  > <jlay at ...13475...
>  >> >> > [6]>
>  >> >> > wrote:
>  >> >> >
>  >> >> >> Topic says it:
>  >> >> >>
>  >> >> >> Generating Stub Rules....
>  >> >> >> An error occurred: WARNING: No dynamic libraries found in
>  >> >> >> directory /usr/local/lib/snort_dynamicrules.
>  >> >> >>
>  >> >> >> Indeed after clearing out snort_dynamicrules after:
>  >> >> >>
>  >> >> >> An error occurred: ERROR: The dynamic detection library
>  >> >> >> "/usr/local/lib/snort_dynamicrules/web-activex.so" version
> 1.0
>  >> >> >> compiled
>  >> >> >> with dynamic engine library version 2.1 isn't compatible
> with
>  > the
>  >> >> >> current dynamic engine library
>  >> >> >> "/usr/local/lib/snort_dynamicengine/libsf_engine.so"
> version
>  > 2.4.
>  >> >> >>
>  >> >> >> I'm using VRT ruleset...has something changes since
> 2.9.6.2?
>  >> > Thank
>  >> >> >> you.
>  >> >> >>
>  >> >> >> James
>  >> >> >>
>  >> >>
>  >> >> Maybe I need to blow out the rules....my pp run shows:
>  >> >>
>  >> >> Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
>  >> >> Rules tarball download of snortrules-snapshot-2970.tar.gz....
>  >> >>
>  >> >> So not sure at this point...I'll try nuking the rules..thanks
> for
>  >> >> looking Joel.
>  >> >>
>  >> >> James
>  >> >
>  >> > Try manually deleting the old .so rules and then copy the new
>  > ones.
>  >> > Thats what I did on the dev box and it was a smooth upgrade.
>  >> >
>  >> > YM
>  >>
>  >> Thanks YM..can you refresh my memory on how to create the so
> rules
>  >> manually? Been using PP too long I guess :) Thanks again.
>  >>
>  >> James
>  >
>  > They should be included in the rules tarball itself:
>  >
>  > cp so_rules/precompiled/<distro>/<archi>/2.9.7.0/*
>  > /snort/path/lib/snort_dynamicrules/
>  >
>  > or if your want to just generate the stub files:
>  >
>  > /usr/local/bin/snort -c /usr/local/etc/snort.conf
>  > --dump-dynamic-rules=/tmp
>  >
>  > YM
>
>  Thanks YM...I had to copy them since it didn't look like generating
>  them actually created so, just precomp:
>
>  Running in Rule Dump mode
>
>  --== Initializing Snort ==--
>  Initializing Output Plugins!
>  Initializing Preprocessors!
>  Initializing Plug-ins!
>  Parsing Rules file "external.conf"
>  PortVar 'HTTP_PORTS' defined : [ 80 8080 ]
>  PortVar 'SHELLCODE_PORTS' defined : [ 0:24 26:79 81:65535 ]
>  PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
>  PortVar 'SSH_PORTS' defined : [ 22 ]
>  PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
>  PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
>  PortVar 'FILE_DATA_PORTS' defined : [ 25 80 8080 ]
>  PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
>  Detection:
>  Search-Method = AC-Full-Q
>  Split Any/Any group = enabled
>  Search-Method-Optimizations = enabled
>  Maximum pattern length = 20
>  Tagged Packet Limit: 256
>  Loading dynamic engine
>  /usr/local/lib/snort_dynamicengine/libsf_engine.so... done
>  Loading all dynamic detection libs from
>  /usr/local/lib/snort_dynamicrules...
>  WARNING: No dynamic libraries found in directory
>  /usr/local/lib/snort_dynamicrules.
>  Finished Loading all dynamic detection libs from
>  /usr/local/lib/snort_dynamicrules
>  Loading all dynamic preprocessor libs from
>  /usr/local/lib/snort_dynamicpreprocessor/...
>  Loading dynamic preprocessor library
>  /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so...
> done
>
>  I think I'm missing a step, but I'm gonna roll with it...I don't
> think
>  my pp is correctly creating the the so rules. :(
>
>  James
>

Thanks YM...here's what I got from pp.conf:

distro=Ubuntu-12-4

And after sshing in:

Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-39-generic x86_64)

Yea...something seems not to be working...all my other instances have
outdated so rules...hrmmm.

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141112/a5dde081/attachment.html>


More information about the Snort-users mailing list