Snort mailing list archives

Re: Dynamic rules not initialized properly

From: Y M <snort () outlook com>
Date: Mon, 7 Oct 2013 23:07:00 +0300

Not necessarily. Any change to a non-reloadable item requires a restart and not a reload, more info at:
http://manual.snort.org/node24.html

If there were new updates to the Dynamic Rules in the tarball downloaded, then these will be updated accordingly. Such 
an update will require a restart. If no updates were introduced to the Dynamic Rules, then my understanding is that 
PulledPork will skip updating them, hence, no restart is required and a reload should suffice given no other changes to 
other non-reloadable items were made.

If anyone has more info to add/correct to this please do so.

Sent from Phone
________________________________
From: Hanson.Webster () salemfive com<mailto:Hanson.Webster () salemfive com>
Sent: ‎10/‎7/‎2013 10:31 PM
To: snort () outlook com<mailto:snort () outlook com>
Subject: RE: [Snort-users] Dynamic rules not initialized properly

I have a cron job that runs daily to check pulledpork for new rules.  So are you saying I should restart snort 
everytime after running pulledpork?

From: Y M [mailto:snort () outlook com]
Sent: Monday, October 07, 2013 1:53 PM
To: Webster, Hanson
Cc: snort-users
Subject: RE: [Snort-users] Dynamic rules not initialized properly

Hi,

Have you ran a rules update lately? Specifically to the Dynamic Rules? The reason I am asking is because I get this 
error when I jack with the .so rules. For example, I got the same error today on a test box. What I did was when I 
updated the rules (including Dynamic Rules) using PulledPork I forgot to tell PulledPork to process only text rules 
(using -T) with a SIGHUP to reload Snort since it is running already. Dynamic Rules are not reloadable, so I had to 
stop Snort, re-run PulledPork and then start Snort again and the messages disappeared (ahem, need to double check)

I am not sure if this is the same scenario you are facing but hope it helps.
________________________________
From: Hanson.Webster () salemfive com<mailto:Hanson.Webster () salemfive com>
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Date: Mon, 7 Oct 2013 12:54:15 -0400
Subject: [Snort-users] Dynamic rules not initialized properly
When I view /var/log/messages, the following two errors are constantly getting written to the log, and the system stops 
logging to our syslog collector

Dynamic Rule [3:8351] was not initialized properly.
Dynamic Rule [3:16533] was not initialized properly.

If I restart snort, the errors go away, but it happens again the next day.  How can I fix this?

________________________________
Hanson M. Webster | Network and Security Analyst | Salem Five Bank | 210 Essex Street, Salem MA 01970 | Tel: 978.720. 
5230 | Fax: 978.498.0230 | www.salemfive.com<http://www.salemfive.com/>

This information may be confidential and/or privileged.  Use of this information by anyone other than the intended 
recipient is prohibited.  If you receive this message in error, please inform the sender and remove any record of this 
message.


------------------------------------------------------------------------------ October Webinars: Code for Performance 
Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, 
and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > 
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge 
net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current 
on all the latest Snort news!

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Dynamic rules not initialized properly Hanson.Webster (Oct 07)
- Re: Dynamic rules not initialized properly Y M (Oct 07)
- <Possible follow-ups>
- Re: Dynamic rules not initialized properly Y M (Oct 07)