NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> current

Re: [Snort-users] so_rules are not processed by pulledpork underFreeBSD 9.1

From: C. L. Martinez (carlopmartgmail.com)
Date: Fri May 10 2013 - 01:46:14 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 9, 2013 at 4:55 PM, JJ Cummings <cummingsjgmail.com> wrote:
> In you pp conf try specifying 2.9.4.5 as your snort_version
>
> Sent from the iRoad
>
> On May 9, 2013, at 7:33, "Seth Dunn" <sethd2ms.com> wrote:
>

I have tried, and pp puts so_rules in correct path, but it doesn't
process them. Executing snort command manually:

rootplzfnsm01:~# snort -c /data/config/etc/idpsnort01/snort.conf
--dump-dynamic-rules=/tmp/h
Running in Rule Dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/data/config/etc/idpsnort01/snort.conf"
PortVar 'HTTP_PORTS' defined : [ 80:89 311 383 591 593 631 901 1090
1220 1414 1741 1830 2301 2381 2809 3037 3128 3200 3210 3300 3310 3333
3600 3610 3702 4343 4848 5250 6988 7000:7001 7144:7145 7510 7777 7779
8000 8008 8014 8028 8080 8085 8088 8090 8100 8118 8123 8180:8181 8222
8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091 9443 9999 11371
34443:34444 41080 50000:50010 51000:51010 55555 ]
PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined : [ 1024:65535 ]
PortVar 'SSH_PORTS' defined : [ 22 ]
PortVar 'FTP_PORTS' defined : [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined : [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined : [ 80:89 110 143 311 383 591 593
631 901 1090 1220 1414 1741 1830 2301 2381 2809 3037 3128 3200 3210
3300 3310 3333 3600 3610 3702 4343 4848 5250 6988 7000:7001 7144:7145
7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8100 8118 8123
8180:8181 8222 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090:9091
9443 9999 11371 34443:34444 41080 50000:50010 51000:51010 55555 ]
PortVar 'GTP_PORTS' defined : [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
ERROR: /data/config/etc/idpsnort01/rules/VRT-botnet-cnc.rules(0)
Unable to open rules file
"/data/config/etc/idpsnort01/rules/VRT-botnet-cnc.rules": No such file
or directory.

And it is correct: VRT-botnet-cnc.rules doesn't exists:

rootnsm01:~# ls -la /data/config/etc/idpsnort01/rules/VRT-botnet-cnc.rules
ls: /data/config/etc/idpsnort01/rules/VRT-botnet-cnc.rules: No such
file or directory
rootnsm01:~# ls /data/config/etc/idpsnort01/rules/
VRT-app-detect.rules VRT-exploit-kit.rules
VRT-indicator-shellcode.rules VRT-policy-other.rules
VRT-pua-other.rules VRT-server-oracle.rules
VRT-blacklist.rules VRT-exploit.rules
VRT-malware-backdoor.rules VRT-policy-social.rules
VRT-pua-p2p.rules VRT-server-other.rules
VRT-browser-chrome.rules VRT-file-executable.rules
VRT-malware-cnc.rules VRT-policy-spam.rules
VRT-pua-toolbars.rules VRT-server-webapp.rules
VRT-browser-firefox.rules VRT-file-flash.rules
VRT-malware-other.rules VRT-preprocessor.rules
VRT-rpc.rules VRT-snmp.rules
VRT-browser-ie.rules VRT-file-identify.rules
VRT-malware-tools.rules VRT-protocol-finger.rules
VRT-scada.rules VRT-specific-threats.rules
VRT-browser-other.rules VRT-file-image.rules
VRT-netbios.rules VRT-protocol-ftp.rules
VRT-scan.rules VRT-sql.rules
VRT-browser-plugins.rules VRT-file-multimedia.rules
VRT-nntp.rules VRT-protocol-icmp.rules
VRT-sensitive-data.rules VRT-telnet.rules
VRT-browser-webkit.rules VRT-file-office.rules
VRT-os-linux.rules VRT-protocol-imap.rules
VRT-server-apache.rules VRT-tftp.rules
VRT-content-replace.rules VRT-file-other.rules
VRT-os-other.rules VRT-protocol-pop.rules
VRT-server-iis.rules VRT-web-client.rules
VRT-decoder.rules VRT-file-pdf.rules
VRT-os-solaris.rules VRT-protocol-services.rules
VRT-server-mail.rules VRT-x11.rules
VRT-dns.rules VRT-indicator-compromise.rules
VRT-os-windows.rules VRT-protocol-voip.rules
VRT-server-mssql.rules
VRT-dos.rules VRT-indicator-obfuscation.rules
VRT-policy-multimedia.rules VRT-pua-adware.rules
VRT-server-mysql.rules

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]