Snort mailing list archives

Re: Regarding dynamic (so_rules) rules

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 12 May 2011 10:40:09 -0400

John,

That's an option now with pulledpork. You can choose it to put all the rules into one file, or you can choose to have 
pulledpork keep them in the original split-out files. 

Once I got used to it, I think having them all in the one file is much more easy to manage and grep!

-- 
Sent from my iPad
Please excuse the brevity

On May 12, 2011, at 9:51 AM, John York <YorkJ () brcc edu> wrote:

Pretty much…

 

Just got time to rebuild my 2.8.6 with pulledpork 0.4 to 2.9.0.5 and pulledpork 0.6.1.  It’s not in the doc’s that I 
could find (I tend to miss a lot when I try to RTFM, tho), but you also need to comment out all the includes for the 
rules files in snort.conf, and include the two that pulledpork makes (snort.rules and so_rules.rules).  Everything 
else happens automagically once you get pulledpork.conf set up correctly.

 

I did have one weird thing happen.  I ran pp before I had all the errors out of my snort.conf, so when pp called 
snort for SO rules, snort quit.  I fixed the errors and then snort would complain that it couldn’t find 
/usr/local/etc/snort//user/local/etc/snort/somefile.rules.  Somehow, the rules path was getting repeated/duplicated.  
This happened even if I ran snort –T by itself.  I couldn’t find anything wrong, so I commented out all the rules 
includes in snort.conf and ran pp again.  It completed without snort errors, and I never saw the problem again after 
that.

 

Anyway, I agree.  SO rules are much easier with pulledpork.  Thanks JJ!

 

John

 

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Thursday, May 12, 2011 7:57 AM
To: Dheeraj Gupta
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Regarding dynamic (so_rules) rules

 

There's a couple blog posts and snort.org I could point you to, but the easiest way, really, to get Shared Object 
rules running (which is what you are referring to below "dynamic", in this context) is to use pulledpork.

 

Pulledpork will download, compile, and generally take care of everything you need for shared object rules to function.

 

J

 

On May 12, 2011, at 5:41 AM, Dheeraj Gupta wrote:




Hi,
I am sorry if this has been answered before, but I really couldn't find an appropriate answer to a host pf troubles I 
am having.
I can't seem to trigger dynamic rules for my snort installation.
I configure snort with  ./configure –with-mysql --enable-zlib --enable-decoder-preprocessor-rules

The snort.conf file has all include so_rules/ lines at the end uncommented, so it should be picking up those rules.
I think I am missing something about the dynamic rules

Relevant Sections of snort.conf are
# Path to your rules files (this can be a relative path)
# Note for Windows users:  You are advised to make this an absolute path,
# such as:  c:\snort\rules
var RULE_PATH /home/dheeraj/installs/snort-2.9.0.5/etc/rules
var SO_RULE_PATH /home/dheeraj/installs/snort-2.9.0.5/etc/so_rules
var PREPROC_RULE_PATH /home/dheeraj/installs/snort-2.9.0.5/etc/preproc_rules

# path to dynamic preprocessor libraries
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/

# path to base preprocessor engine
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

# path to dynamic rules libraries
dynamicdetection directory /usr/local/lib/snort_dynamicrules

I look into my /var/log/messages and see the following (relevant) entries

May 12 14:46:58 redbaronpc snort[20793]: Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... 
May 12 14:46:58 redbaronpc snort[20793]: done 
May 12 14:46:58 redbaronpc snort[20793]: Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... 
May 12 14:46:58 redbaronpc snort[20793]: Warning: No dynamic libraries found in directory 
/usr/local/lib/snort_dynamicrules! 
May 12 14:46:58 redbaronpc snort[20793]:   Finished Loading all dynamic detection libs from 
/usr/local/lib/snort_dynamicrules 
May 12 14:46:58 redbaronpc snort[20793]: Loading all dynamic preprocessor libs from 
/usr/local/lib/snort_dynamicpreprocessor/... 
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... 
May 12 14:46:58 redbaronpc snort[20793]: done 
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... 
May 12 14:46:58 redbaronpc snort[20793]: done 
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... 
May 12 14:46:58 redbaronpc snort[20793]: done 
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... 
May 12 14:46:58 redbaronpc snort[20793]: done 
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... 
May 12 14:46:58 redbaronpc snort[20793]: done 
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... 
May 12 14:46:58 redbaronpc snort[20793]: done 
May 12 14:46:58 redbaronpc snort[20793]:   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... 
May 12 14:46:58 redbaronpc snort[20793]: done 
May 12 14:46:58 redbaronpc snort[20793]:   Finished Loading all dynamic preprocessor libs from 
/usr/local/lib/snort_dynamicpreprocessor/ 

May 12 14:46:59 redbaronpc snort[20793]: +++++++++++++++++++++++++++++++++++++++++++++++++++ 
May 12 14:46:59 redbaronpc snort[20793]: Initializing rule chains... 
May 12 14:47:00 redbaronpc snort[20793]: 5360 Snort rules read 
May 12 14:47:00 redbaronpc snort[20793]:     5360 detection rules 
May 12 14:47:00 redbaronpc snort[20793]:     0 decoder rules 
May 12 14:47:00 redbaronpc snort[20793]:     0 preprocessor rules 
May 12 14:47:00 redbaronpc snort[20793]: 5360 Option Chains linked into 479 Chain Headers 
May 12 14:47:00 redbaronpc snort[20793]: 0 Dynamic rules 
May 12 14:47:00 redbaronpc snort[20793]: +++++++++++++++++++++++++++++++++++++++++++++++++++ 

May 12 14:47:01 redbaronpc snort[20793]: Encoded Rule Plugin SID: 15210, GID: 3 not registered properly.  Disabling 
this rule.  
(The above message is repated about 700 times for different SIDs. COuld someone also explain why this message comes?)

How do I remove No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules! warning? and get the 
dynamic rules t fire on this installation



Regards,
Dheeraj

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

 

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Regarding dynamic (so_rules) rules Dheeraj Gupta (May 12)
- Re: Regarding dynamic (so_rules) rules Joel Esler (May 12)
  - Re: Regarding dynamic (so_rules) rules John York (May 12)
    - Re: Regarding dynamic (so_rules) rules Joel Esler (May 12)
  - Re: Regarding dynamic (so_rules) rules Dheeraj Gupta (May 12)
    - Re: Regarding dynamic (so_rules) rules Joel Esler (May 13)