Re: dump dynamic rules problem.

[Husnu Demir <hdemir () metu edu tr>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks.

I am prety sure I tried that but could not manage. Perhaps I tried that without
"=" sign. Perhaps you should add "=" sign to the --help option :)


Best regards.
hdemir.


Matt Watchinski wrote:
> Maybe you truncated the following line in your previous email, but
>
> /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
>
> Snort doesn't know where the dynamic rules are if you don't give it a -c
> for the snort.conf
>
> snort -c snort.conf --dump-dynamic-rules=/tmp
>
> Cheers,
> -matt
>
> 2009/12/23 Husnu Demir <hdemir () metu edu tr <mailto:hdemir () metu edu tr>>
>
> /usr/local/snort-2.8.5.1/bin/snort -l /var/log/snort/ -c
> /usr/local/snort-2.8.5.1/etc/snort.conf -i eth0
>
>
> hdemir.
>
> PS: I gave the last output to show that it is working with the
> so_rules but did
> not dump the so_rules.
>
>
>
>
>
> Steven Sturges wrote:
> > What other command line arguments are you passing to snort?
>
> > When Snort prints out the version information and related for each
> > of the various objects loaded, it is operating in its normal
> > run mode.
>
> > Husnu Demir wrote:
> > > Yes I tried that option also, but no luck. There is no rules
> files in /tmp/ dir.
> > > I used the *.rules files in so_rules directory and run the snort;
> It gave me the
> > > following result;
> > >
> > > ..
> > > ..
> > >
> > >         --== Initialization Complete ==--
> > >
> > >    ,,_     -*> Snort! <*-
> > >   o"  )~   Version 2.8.5.1 (Build 114)
> > >    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
> > >            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
> > >            Using PCRE version: 7.6 2008-01-28
> > >
> > >            Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.11
>  <Build 17>
> > >            Rules Object: netbios  Version 1.0  <Build 1>
> > >            Rules Object: imap  Version 1.0  <Build 1>
> > >            Rules Object: web-client  Version 1.0  <Build 1>
> > >            Rules Object: nntp  Version 1.0  <Build 1>
> > >            Rules Object: dos  Version 1.0  <Build 1>
> > >            Rules Object: smtp  Version 1.0  <Build 1>
> > >            Rules Object: web-misc  Version 1.0  <Build 1>
> > >            Rules Object: sql  Version 1.0  <Build 1>
> > >            Rules Object: multimedia  Version 1.0  <Build 1>
> > >            Rules Object: misc  Version 1.0  <Build 1>
> > >            Rules Object: p2p  Version 1.0  <Build 1>
> > >            Rules Object: web-activex  Version 1.0  <Build 1>
> > >            Rules Object: chat  Version 1.0  <Build 1>
> > >            Rules Object: exploit  Version 1.0  <Build 1>
> > >            Rules Object: bad-traffic  Version 1.0  <Build 1>
> > >            Preprocessor Object: SF_DCERPC2  Version 1.0  <Build 2>
> > >            Preprocessor Object: SF_SSH  Version 1.1  <Build 2>
> > >            Preprocessor Object: SF_SSLPP  Version 1.1  <Build 3>
> > >            Preprocessor Object: SF_FTPTELNET  Version 1.2  <Build 12>
> > >            Preprocessor Object: SF_SMTP  Version 1.1  <Build 8>
> > >            Preprocessor Object: SF_DNS  Version 1.1  <Build 3>
> > >            Preprocessor Object: SF_Dynamic_Example_Preprocessor
>  Version 1.0
> > > <Build 1>
> > >            Preprocessor Object: SF_DCERPC  Version 1.1  <Build 5>
> > >
> > >
> > > So it is working. BUt I could not dump the files. And there is no
> error.
> > > Thanks.
> > >
> > > hdemir.
> > >
> > > Steven Sturges wrote:
> > > > Pretty sure you need an = between the option and the path, ie.
> > > > /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp/
> > > > Husnu Demir wrote:
> > > > > Hi People,
> > > > >
> > > > >
> > > > > /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
> command is not
> > > > > working properly.
> > > > >
> > > > > /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules /tmp/
> > > > > Running in Rule Dump mode
> > > > >
> > > > >         --== Initializing Snort ==--
> > > > > Initializing Output Plugins!
> > > > > Snort BPF option: /tmp
> > > > > ERROR: snort.c(5049) Please specify the directory path for
> dumping the dynamic rules
> > > > > Fatal Error, Quitting..
> > > > >
> > > > >
> > > > >
> > > > > When I try
> > > > >
> > > > > /usr/local/snort-2.8.5.1/bin/snort --dump-dynamic-rules=/tmp
> > > > > Running in Rule Dump mode
> > > > >
> > > > >         --== Initializing Snort ==--
> > > > > Initializing Output Plugins!
> > > > > Dumping dynamic rules...
> > > > >   Finished dumping dynamic rules.
> > > > > Snort exiting
> > > > >
> > > > > ls /tmp
> > > > > total 0
> > > > >
> > > > >
> > > > >
> > > > > My snort config ..
> > > > >
> > > > > snips..
> > > > > ..
> > > > >
> > > > > dynamicdetection directory
> /usr/local/snort-2.8.5.1/lib/snort_dynamicrules/
> > > > > ..
> > > > >
> > > > >
> > > > > uname -a
> > > > > Linux kaf 2.6.26-2-xen-amd64 #1 SMP Thu Nov 5 04:27:12 UTC 2009
> x86_64 GNU/Linux
> > > > > Also I used precompiled Ubuntu 8.04 rules.so.
> > > > >
> > > > >
> > > > > Thanks.
> > > > >
> > > > > hdemir.
> > > > >
> > > > > I used
> ------------------------------------------------------------------------
> > > >
> ------------------------------------------------------------------------------
> > > > This SF.Net email is sponsored by the Verizon Developer Community
> > > > Take advantage of Verizon's best-in-class app development support
> > > > A streamlined, 14 day to market process makes app distribution
> fast and easy
> > > > Join now and get one step closer to millions of Verizon customers
> > > > http://p.sf.net/sfu/verizon-dev2dev
> > >
> > > >
> ------------------------------------------------------------------------
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel () lists sourceforge net
> <mailto:Snort-devel () lists sourceforge net>
> > > > https://lists.sourceforge.net/lists/listinfo/snort-devel

- ------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast
and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
<mailto:Snort-devel () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-devel




> -- 
> Matthew Watchinski
> Sr. Director Vulnerability Research Team (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksyNt0ACgkQHgR50XBBy+lpSgCfRb+HKbwbL0jHg/QjI1mF7h2S
q5gAn264sQwwhnPcdhbimM8qjMAqu41x
=fYPu
-----END PGP SIGNATURE-----

Attachment: hdemir.vcf
Description:

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel