Snort mailing list archives

Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 11 Nov 2014 14:07:42 -0700

On 2014-11-11 13:52, Y M wrote:

To: snort () outlook com
Subject: RE: [Snort-users] Upgrade to 2.9.7.0 results in Pulledpork

not generating stub rules

Date: Tue, 11 Nov 2014 13:46:41 -0700
From: jlay () slave-tothe-box net
CC: snort-users () lists sourceforge net

On 2014-11-11 13:43, Y M wrote:

To: snort-users () lists sourceforge net
Date: Tue, 11 Nov 2014 13:37:26 -0700
From: jlay () slave-tothe-box net
Subject: Re: [Snort-users] Upgrade to 2.9.7.0 results in

Pulledpork

not generating stub rules


On 2014-11-11 13:33, Joel Esler (jesler) wrote:

Looks like you are trying to use 2962 rules with 2970 or

something.


--
JOEL ESLER Sent from my iPhone

On Nov 11, 2014, at 3:12 PM, James Lay

<jlay () slave-tothe-box net

[6]>
wrote:

Topic says it:

Generating Stub Rules....
An error occurred: WARNING: No dynamic libraries found in
directory /usr/local/lib/snort_dynamicrules.

Indeed after clearing out snort_dynamicrules after:

An error occurred: ERROR: The dynamic detection library
"/usr/local/lib/snort_dynamicrules/web-activex.so" version 1.0
compiled
with dynamic engine library version 2.1 isn't compatible with

the

current dynamic engine library
"/usr/local/lib/snort_dynamicengine/libsf_engine.so" version

2.4.


I'm using VRT ruleset...has something changes since 2.9.6.2?

Thank

you.

James


Maybe I need to blow out the rules....my pp run shows:

Checking latest MD5 for snortrules-snapshot-2970.tar.gz....
Rules tarball download of snortrules-snapshot-2970.tar.gz....

So not sure at this point...I'll try nuking the rules..thanks for
looking Joel.

James


Try manually deleting the old .so rules and then copy the new

ones.

Thats what I did on the dev box and it was a smooth upgrade.

YM


Thanks YM..can you refresh my memory on how to create the so rules
manually? Been using PP too long I guess :) Thanks again.

James


They should be included in the rules tarball itself:

cp so_rules/precompiled/<distro>/<archi>/2.9.7.0/*
/snort/path/lib/snort_dynamicrules/

or if your want to just generate the stub files:

/usr/local/bin/snort -c /usr/local/etc/snort.conf
--dump-dynamic-rules=/tmp

YM


Thanks YM...I had to copy them since it didn't look like generating 
them actually created so, just precomp:

Running in Rule Dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "external.conf"
PortVar 'HTTP_PORTS' defined :  [ 80 8080 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:24 26:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 25 80 8080 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
    Search-Method = AC-Full-Q
     Split Any/Any group = enabled
     Search-Method-Optimizations = enabled
     Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic engine 
/usr/local/lib/snort_dynamicengine/libsf_engine.so... done
Loading all dynamic detection libs from 
/usr/local/lib/snort_dynamicrules...
WARNING: No dynamic libraries found in directory 
/usr/local/lib/snort_dynamicrules.
   Finished Loading all dynamic detection libs from 
/usr/local/lib/snort_dynamicrules
Loading all dynamic preprocessor libs from 
/usr/local/lib/snort_dynamicpreprocessor/...
   Loading dynamic preprocessor library 
/usr/local/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done

I think I'm missing a step, but I'm gonna roll with it...I don't think 
my pp is correctly creating the the so rules. :(

James

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules James Lay (Nov 11)
- Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules Joel Esler (jesler) (Nov 11)
  - Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules James Lay (Nov 11)
    - Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules Y M (Nov 11)
    - Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules James Lay (Nov 11)
    - Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules Y M (Nov 11)
    - Re: Upgrade to 2.9.7.0 results in Pulledpork not generating stub rules James Lay (Nov 11)