-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ERROR: can't set --dump-dynamic-rules /tmp/tha_rules/so_rules/ and no rules are being imported. #359
Comments
Running into this issue as well. Also noticing that Noah (the dude who wrote the installation guide for Ubuntu) experienced this problem as well: https://seclists.org/snort/2021/q1/36 Has there been any progress on this? |
A look at the latest 3.x tarball, and I do see that there are now precompiled shared object rules being distributed. I am not sure the dumping of the stub rules is necessary in 3.x, since the rules are provided, but the distro types are completely different. I had a note in the code to handle some differences, but it looks like the list will have to be different. |
I have also encountered this issue. There is a large difference between how Snort2 and Snort3 handle and package SO rules. I will try to document my findings here. PackagingUnder Snort2, SO rules were in a path like Under Snort3, SO rules are in a path like Extraction of stubsIn snort2, the config file had a directive like
which told snort where dynamic rules could be found. So PP extracted the so files directly to this location (via Under snort3, the said configuration option is no longer there. We do have a new The command would change to
and we will need to collect the output under a new file in My Perl is not strong enough to generate a PR for this complicated case. |
I have created a new repo for snort3 called "pulledpork3". There is some initial code that has been written by someone in the community that will be a good starting point for getting snort3 signature updates working for everyone. Any snort3 issues will be tracked here and only closed when resolved with pulledpork3 |
@shirkdog I have created PR #363 which modifies pulledpork script so that it can be used to dump dynamic rules in both Snort2 and Snort3. I have tested it and it appears to work. Users must set distro to appropriate values. E.g. for Snort2 if |
I think this can now be closed as #363 has merged. There may be a need to update documentation regarding distros for Snort3 being different from Snort2. |
I downloaded pulledpork.pl today (July 24, 2021) and had to modify the code to properly handle SO_rules for Snort3 (my flavor is ubuntu). I removed the "(" and ")" around $Distro and $arch on line 333 (else). And I also changed pulledpork.conf with distro=ubuntu.
|
@seanjowen I tried it on my system with and without the paranthesis ( |
@redbaron4, my apologies. I retested and the code is fine. The solution was actually simply changing the distro to "ubuntu" rather than "Ubuntu-18-4" in the pulledpork.conf. In my troubleshooting the code, I believe I was distracted by one of my children and had inadvertently changed both the code and the distro config in the same step, leading me to incorrectly conclude it was the code. I had the proper spot in the code that was causing the error, but I had identified the wrong solution. Thanks for building this script and maintaining it! |
@seanjowen Thanks for clearing it up! And thanks goes to @shirkdog who is the author/maintainer. |
Hello,
I tried to install your application according to the snort 3 Installation guide for Ubuntu (page 9 - 11).
When I try to execute the last command one page 10 (
sudo /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l -P -E -H SIGHUP
), I get an error and no rules are being importedI guess this is the interesting part, but you can find the whole output and the configuration below:
Verbose Output (
-vvv
) of the mentioned command/usr/local/etc/pulledpork/pulledpork.conf
Thanks in Advance
The text was updated successfully, but these errors were encountered: