[Snort-users] Snort: setup SO rules question.

Andrew Shagayev drewshg at ...11827...
Mon Mar 23 00:43:51 EDT 2015


Hi all!

OS X 10.10.2
Snort 2.9.7.2 GRE (Build 177)

Trying to setup the so rules.

I've read /etc/snort/so_rules/src/README and done all that steps:

1. Make sure the dynamic preprocessor and dynamic engine paths are
    defined in snort.conf, for example:

 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

 2. Make sure the path to the location of the shared object rules is
    also defined in snort.conf, for example:

 dynamicdetection directory /usr/local/lib/snort_dynamicrule

 3. Dump the stub rules by issuing the command:

 snort -c /usr/local/etc/snort/snort.conf
--dump-dynamic-rules=/usr/local/etc/snort/so_rules

 4. Use a variable to define the path to the stub rules, for example:

 var SO_RULE_PATH /usr/local/etc/snort/so_rules

 5. Include the generated stub rule files in snort.conf in the same way
    the regular rules are included, for example:

 include $SO_RULE_PATH/netbios.rules

 6. Test the installation by issuing the command:

 snort -c /usr/local/etc/snort/snort.conf -T

But there is nothing about where to put the "precompiled" .so files. Should
they go to /usr/local/lib/snort_dynamicrules?

And which distro would work with OS X?

I've tried to put all .so files for FreeBSD 10, but snort says:

Loading dynamic detection library
/usr/local/lib/snort_dynamicrules//browser-ie.so... ERROR: Failed to load
/usr/local/lib/snort_dynamicrules//browser-ie.so:
dlopen(/usr/local/lib/snort_dynamicrules//browser-ie.so, 6): no suitable
image found.  Did find:
    /usr/local/lib/snort_dynamicrules//browser-ie.so: unknown file type,
first eight bytes: 0x7F 0x45 0x4C 0x46 0x02 0x01 0x01 0x09
Fatal Error, Quitting..

This /usr/local/lib/snort_dynamicrules directory is empty right now and
snort says:

WARNING: No dynamic libraries found in directory
/usr/local/lib/snort_dynamicrules/.

Please point me where to find the explanation.

Thank you

-- 
A.S.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150322/9d46d214/attachment.html>


More information about the Snort-users mailing list