Snort mailing list archives
Re: dump dynamic rules problem.
From: Husnu Demir <hdemir () metu edu tr>
Date: Wed, 23 Dec 2009 16:06:19 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /usr/local/snort-2.8.5.1/bin/snort -l /var/log/snort/ -c /usr/local/snort-2.8.5.1/etc/snort.conf -i eth0 hdemir. PS: I gave the last output to show that it is working with the so_rules but did not dump the so_rules. Steven Sturges wrote:
What other command line arguments are you passing to snort? When Snort prints out the version information and related for each of the various objects loaded, it is operating in its normal run mode. Husnu Demir wrote:Yes I tried that option also, but no luck. There is no rules files in /tmp/ dir. I used the *.rules files in so_rules directory and run the snort; It gave me the following result; .. .. --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.5.1 (Build 114) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 7.6 2008-01-28 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.11 <Build 17> Rules Object: netbios Version 1.0 <Build 1> Rules Object: imap Version 1.0 <Build 1> Rules Object: web-client Version 1.0 <Build 1> Rules Object: nntp Version 1.0 <Build 1> Rules Object: dos Version 1.0 <Build 1> Rules Object: smtp Version 1.0 <Build 1> Rules Object: web-misc Version 1.0 <Build 1> Rules Object: sql Version 1.0 <Build 1> Rules Object: multimedia Version 1.0 <Build 1> Rules Object: misc Version 1.0 <Build 1> Rules Object: p2p Version 1.0 <Build 1> Rules Object: web-activex Version 1.0 <Build 1> Rules Object: chat Version 1.0 <Build 1> Rules Object: exploit Version 1.0 <Build 1> Rules Object: bad-traffic Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC2 Version 1.0 <Build 2> Preprocessor Object: SF_SSH Version 1.1 <Build 2> Preprocessor Object: SF_SSLPP Version 1.1 <Build 3> Preprocessor Object: SF_FTPTELNET Version 1.2 <Build 12> Preprocessor Object: SF_SMTP Version 1.1 <Build 8> Preprocessor Object: SF_DNS Version 1.1 <Build 3> Preprocessor Object: SF_Dynamic_Example_Preprocessor Version 1.0 <Build 1> Preprocessor Object: SF_DCERPC Version 1.1 <Build 5> So it is working. BUt I could not dump the files. And there is no error. Thanks. hdemir. Steven Sturges wrote:Pretty sure you need an = between the option and the path, ie. /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/ Husnu Demir wrote:Hi People, /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ command is not working properly. /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/ Running in Rule Dump mode --== Initializing Snort ==-- Initializing Output Plugins! Snort BPF option: /tmp ERROR: snort.c(5049) Please specify the directory path for dumping the dynamic rules Fatal Error, Quitting.. When I try /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp Running in Rule Dump mode --== Initializing Snort ==-- Initializing Output Plugins! Dumping dynamic rules... Finished dumping dynamic rules. Snort exiting ls /tmp total 0 My snort config .. snips.. .. dynamicdetection directory /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/ .. uname -a Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009 x86_64 GNU/Linux Also I used precompiled Ubuntu 8.04 rules.so. Thanks. hdemir. I used------------------------------------------------------------------------ ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksyI9MACgkQHgR50XBBy+kRawCeJH/KLZOwZpCO9Ya2kUvD/Vp6 hUYAoMto8OKe1+hMTaE7ziCaRDuYhk3V =xuTy -----END PGP SIGNATURE-----
Attachment:
hdemir.vcf
Description:
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- dump dynamic rules problem. Husnu Demir (Dec 22)
- Re: dump dynamic rules problem. Steven Sturges (Dec 22)
- Re: dump dynamic rules problem. Husnu Demir (Dec 23)
- Re: dump dynamic rules problem. Steven Sturges (Dec 23)
- Re: dump dynamic rules problem. Husnu Demir (Dec 23)
- Re: dump dynamic rules problem. Matt Watchinski (Dec 23)
- Re: dump dynamic rules problem. Husnu Demir (Dec 23)
- Re: dump dynamic rules problem. Husnu Demir (Dec 23)
- Re: dump dynamic rules problem. Steven Sturges (Dec 22)