Snort mailing list archives
Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules
From: Y M <snort () outlook com>
Date: Wed, 12 Nov 2014 00:23:06 +0300
Hmm..The second command will only generate the stub rules (.rules) for the .so rules but not the .so files themselves. The way PulledPork knows which ones to copy as far as I understand is by reading the version from Snort binary itself or if you have the version explicitly specified in pulledpork.conf. Either ways, I think the distro also plays a role in it. For example, under the so_rules/precompiled/ there is no directory for Ubuntu 14-04 last time I checked, so if the distro is not specified properly PulledPork "may not" be able to copy them. I can verify tomorrow. YM Sent from Mobile ________________________________ From: James Lay<mailto:jlay () slave-tothe-box net> Sent: 11/12/2014 12:07 AM To: Y M<mailto:snort () outlook com> Cc: snort-users<mailto:snort-users () lists sourceforge net> Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules On 2014-11-11 13:52, Y M wrote:
To: snort () outlook com Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledporknot generating stub rulesDate: Tue, 11 Nov 2014 13:46:41 -0700 From: jlay () slave-tothe-box net CC: snort-users () lists sourceforge net On 2014-11-11 13:43, Y M wrote:To: snort-users () lists sourceforge net Date: Tue, 11 Nov 2014 13:37:26 -0700 From: jlay () slave-tothe-box net Subject: Re: [Snort-users] Upgrade to 2.9.7.0 results inPulledporknot generating stub rulesOn 2014-11-11 13:33, Joel Esler (jesler) wrote:Looks like you are trying to use 2962 rules with 2970 orsomething.-- JOEL ESLER Sent from my iPhone On Nov 11, 2014, at 3:12 PM, James Lay<jlay () slave-tothe-box net[6]> wrote:Topic says it: Generating Stub Rules.... An error occurred: WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules. Indeed after clearing out snort_dynamicrules after: An error occurred: ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/web-activex.so" version 1.0 compiled with dynamic engine library version 2.1 isn't compatible withthecurrent dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version2.4.I'm using VRT ruleset...has something changes since 2.9.6.2?Thankyou. JamesMaybe I need to blow out the rules....my pp run shows: Checking latest MD5 for snortrules-snapshot-2970.tar.gz.... Rules tarball download of snortrules-snapshot-2970.tar.gz.... So not sure at this point...I'll try nuking the rules..thanks for looking Joel. JamesTry manually deleting the old .so rules and then copy the newones.Thats what I did on the dev box and it was a smooth upgrade. YMThanks YM..can you refresh my memory on how to create the so rules manually? Been using PP too long I guess :) Thanks again. JamesThey should be included in the rules tarball itself: cp so_rules/precompiled/<distro>/<archi>/2.9.7.0/* /snort/path/lib/snort_dynamicrules/ or if your want to just generate the stub files: /usr/local/bin/snort -c /usr/local/etc/snort.conf --dump-dynamic-rules=/tmp YM
Thanks YM...I had to copy them since it didn't look like generating them actually created so, just precomp: Running in Rule Dump mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "external.conf" PortVar 'HTTP_PORTS' defined : [ 80 8080 ] PortVar 'SHELLCODE_PORTS' defined : [ 0:24 26:79 81:65535 ] PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ] PortVar 'SSH_PORTS' defined : [ 22 ] PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ] PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ] PortVar 'FILE_DATA_PORTS' defined : [ 25 80 8080 ] PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ] Detection: Search-Method = AC-Full-Q Split Any/Any group = enabled Search-Method-Optimizations = enabled Maximum pattern length = 20 Tagged Packet Limit: 256 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... done Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... WARNING: No dynamic libraries found in directory /usr/local/lib/snort_dynamicrules. Finished Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules Loading all dynamic preprocessor libs from /usr/local/lib/snort_dynamicpreprocessor/... Loading dynamic preprocessor library /usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done I think I'm missing a step, but I'm gonna roll with it...I don't think my pp is correctly creating the the so rules. :( James
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules Y M (Nov 11)
- Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules James Lay (Nov 11)
- <Possible follow-ups>
- Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules Y M (Nov 11)
- Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules James Lay (Nov 11)