search

shirkdog / pulledpork3

Pulled Pork for Snort3 rule management
GNU General Public License v2.0
18 stars 12 forks source link

Lightspeed so rules broken after update #35

Closed DigiAngel closed 3 years ago

DigiAngel commented 3 years ago

Lint line:

sudo /opt/snort/bin/snort --daq-dir=/opt/snort/libdaq/lib/daq --plugin-path=/opt/snort/etc/rules/so_rules -c /opt/snort/etc/snort.lua -T

pulledpork.conf:

community_ruleset = false
registered_ruleset = false
LightSPD_ruleset = true
oinkcode = redacted
snort_blocklist = false
et_blocklist = false
#blocklist_path = /opt/snort/etc/rules/lists/default.blocklist
ips_policy = balanced
rule_mode = simple
rule_path = /opt/snort/etc/rules/snort-pulledpork.rules
ignored_files = includes.rules, snort3-deleted.rules
include_disabled_rules = false
sorule_path = /opt/snort/etc/rules/so_rules/
distro = ubuntu-x64
snort_path = /opt/snort/bin/snort
CONFIGURATION_NUMBER = 3.0.0-BETA

ips entry in snort.lua:

ips =
{
    rules = [[
        include /opt/snort/etc/rules/snort-pulledpork.rules
    ]],

    variables = default_variables
}

/opt/snort/etc/rules/so_rules dir:

-rw-r--r-- 1 root root  21712 Aug  5 15:19 browser-chrome.so
-rw-r--r-- 1 root root  17664 Aug  5 15:19 browser-ie.so
-rw-r--r-- 1 root root  59000 Aug  5 15:19 browser-other.so
-rw-r--r-- 1 root root  26288 Aug  5 15:19 browser-webkit.so
-rw-r--r-- 1 root root  12200 Aug  5 15:19 exploit-kit.so
-rw-r--r-- 1 root root  22416 Aug  5 15:19 file-executable.so
-rw-r--r-- 1 root root   8416 Aug  5 15:19 file-flash.so
-rw-r--r-- 1 root root 228896 Aug  5 15:19 file-image.so
-rw-r--r-- 1 root root   8088 Aug  5 15:19 file-java.so
-rw-r--r-- 1 root root  99304 Aug  5 15:19 file-multimedia.so
-rw-r--r-- 1 root root 133792 Aug  5 15:19 file-office.so
-rw-r--r-- 1 root root 411464 Aug  5 15:19 file-other.so
-rw-r--r-- 1 root root 149448 Aug  5 15:19 file-pdf.so
-rw-r--r-- 1 root root  18520 Aug  5 15:19 indicator-shellcode.so
-rw-r--r-- 1 root root  28440 Aug  5 15:19 malware-cnc.so
-rw-r--r-- 1 root root  12208 Aug  5 15:19 malware-other.so
-rw-r--r-- 1 root root  28424 Aug  5 15:19 netbios.so
-rw-r--r-- 1 root root  13128 Aug  5 15:19 os-linux.so
-rw-r--r-- 1 root root  64320 Aug  5 15:19 os-other.so
-rw-r--r-- 1 root root  54880 Aug  5 15:19 os-windows.so
-rw-r--r-- 1 root root 144328 Aug  5 15:19 policy-other.so
-rw-r--r-- 1 root root   8528 Aug  5 15:19 policy-social.so
-rw-r--r-- 1 root root  39256 Aug  5 15:19 protocol-dns.so
-rw-r--r-- 1 root root  31216 Aug  5 15:19 protocol-other.so
-rw-r--r-- 1 root root  54792 Aug  5 15:19 protocol-scada.so
-rw-r--r-- 1 root root  37224 Aug  5 15:19 protocol-snmp.so
-rw-r--r-- 1 root root  17256 Aug  5 15:19 protocol-tftp.so
-rw-r--r-- 1 root root  49856 Aug  5 15:19 protocol-voip.so
-rw-r--r-- 1 root root   8560 Aug  5 15:19 server-iis.so
-rw-r--r-- 1 root root  14288 Aug  5 15:19 server-mail.so
-rw-r--r-- 1 root root   8000 Aug  5 15:19 server-mysql.so
-rw-r--r-- 1 root root  13176 Aug  5 15:19 server-oracle.so
-rw-r--r-- 1 root root 268072 Aug  5 15:19 server-other.so
-rw-r--r-- 1 root root 883096 Aug  5 15:19 server-webapp.so

errors:

Loading /opt/snort/etc/rules/snort-pulledpork.rules:
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:19 SO rule 38758 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:20 SO rule 28487 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:21 SO rule 28488 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:22 SO rule 35721 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:23 SO rule 35722 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:24 SO rule 36218 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:25 SO rule 36219 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:26 SO rule 36220 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:27 SO rule 36221 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:28 SO rule 51369 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:29 SO rule 53257 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:30 SO rule 53258 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:31 SO rule 53686 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:32 SO rule 38671 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:33 SO rule 38672 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:34 SO rule 48691 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:35 SO rule 48692 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:36 SO rule 49912 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:37 SO rule 56059 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:38 SO rule 56060 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:39 SO rule 30282 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:40 SO rule 30283 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:41 SO rule 31398 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:42 SO rule 31451 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:43 SO rule 39379 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:44 SO rule 30902 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:45 SO rule 30903 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:46 SO rule 30912 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:47 SO rule 30913 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:48 SO rule 30921 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:49 SO rule 30922 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:50 SO rule 30942 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:51 SO rule 30943 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:52 SO rule 35727 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:53 SO rule 35728 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:54 SO rule 40299 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:55 SO rule 40300 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:56 SO rule 40767 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:57 SO rule 40768 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:58 SO rule 40769 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:59 SO rule 40770 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:60 SO rule 45524 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:61 SO rule 45525 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:62 SO rule 46003 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:63 SO rule 46004 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:64 SO rule 46005 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:65 SO rule 46006 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:66 SO rule 46007 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:67 SO rule 46008 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:68 SO rule 46009 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:69 SO rule 46010 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:70 SO rule 46011 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:71 SO rule 46012 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:72 SO rule 46013 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:73 SO rule 46014 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:74 SO rule 46015 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:75 SO rule 46016 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:76 SO rule 46017 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:77 SO rule 46018 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:78 SO rule 46019 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:79 SO rule 46020 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:80 SO rule 46021 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:81 SO rule 46022 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:82 SO rule 47363 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:83 SO rule 47364 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:84 SO rule 47394 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:85 SO rule 47395 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:86 SO rule 47878 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:87 SO rule 47879 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:88 SO rule 48689 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:89 SO rule 48690 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:90 SO rule 45597 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:91 SO rule 54028 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:92 SO rule 39885 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:93 SO rule 43424 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:94 SO rule 43425 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:95 SO rule 43426 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:96 SO rule 43427 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:97 SO rule 43428 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:98 SO rule 43429 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:99 SO rule 43430 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:100 SO rule 43431 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:101 SO rule 43432 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:102 SO rule 30887 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:103 SO rule 30888 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:104 SO rule 30929 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:105 SO rule 30931 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:106 SO rule 30933 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:107 SO rule 31361 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:108 SO rule 35894 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:109 SO rule 35897 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:110 SO rule 35898 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:111 SO rule 35899 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:112 SO rule 35900 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:113 SO rule 35901 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:114 SO rule 35902 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:115 SO rule 35903 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:116 SO rule 35906 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:117 SO rule 35908 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:118 SO rule 36153 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:119 SO rule 40006 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:120 SO rule 40049 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:121 SO rule 40287 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:122 SO rule 40499 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:123 SO rule 41548 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:124 SO rule 41909 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:125 SO rule 41910 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:126 SO rule 43489 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:127 SO rule 43558 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:128 SO rule 43559 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:129 SO rule 44071 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:130 SO rule 44189 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:131 SO rule 45575 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:132 SO rule 45596 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:133 SO rule 46110 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:134 SO rule 47234 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:135 SO rule 47684 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:136 SO rule 47707 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:137 SO rule 49334 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:138 SO rule 49335 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:139 SO rule 53668 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:140 SO rule 57115 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:141 SO rule 57116 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:142 SO rule 57117 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:143 SO rule 57118 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:144 SO rule 52020 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:145 SO rule 52021 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:146 SO rule 49293 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:147 SO rule 57136 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:148 SO rule 35885 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:149 SO rule 44012 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:150 SO rule 38745 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:151 SO rule 56552 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:152 SO rule 56553 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:153 SO rule 49442 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:154 SO rule 49443 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:155 SO rule 35834 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:156 SO rule 35835 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:157 SO rule 16343 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:158 SO rule 41360 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:159 SO rule 41361 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:160 SO rule 41362 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:161 SO rule 41363 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:162 SO rule 42313 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:163 SO rule 42314 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:164 SO rule 45521 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:165 SO rule 45522 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:166 SO rule 45715 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:167 SO rule 45716 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:168 SO rule 46292 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:169 SO rule 46293 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:170 SO rule 46550 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:171 SO rule 46551 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:172 SO rule 47340 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:173 SO rule 47341 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:174 SO rule 49189 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:175 SO rule 49190 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:176 SO rule 38244 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:177 SO rule 38245 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:178 SO rule 38285 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:179 SO rule 38746 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:180 SO rule 38747 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:181 SO rule 38748 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:182 SO rule 38749 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:183 SO rule 38750 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:184 SO rule 38751 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:185 SO rule 38752 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:186 SO rule 38753 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:187 SO rule 38754 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:188 SO rule 38755 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:189 SO rule 38756 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:190 SO rule 38757 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:191 SO rule 57422 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:192 SO rule 31615 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:193 SO rule 31616 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:194 SO rule 34180 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:195 SO rule 47595 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:196 SO rule 47596 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:197 SO rule 47597 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:198 SO rule 47598 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:199 SO rule 34369 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:200 SO rule 35347 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:201 SO rule 35926 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:202 SO rule 35927 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:203 SO rule 35929 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:204 SO rule 35930 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:205 SO rule 35931 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:206 SO rule 35932 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:207 SO rule 35941 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:208 SO rule 36913 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:209 SO rule 37358 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:210 SO rule 38543 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:211 SO rule 39897 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:212 SO rule 40240 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:213 SO rule 40275 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:214 SO rule 41538 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:215 SO rule 45870 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:216 SO rule 46740 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:217 SO rule 46741 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:218 SO rule 46992 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:219 SO rule 47679 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:220 SO rule 47680 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:221 SO rule 47681 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:222 SO rule 48946 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:223 SO rule 48947 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:224 SO rule 48948 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:225 SO rule 48949 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:226 SO rule 49350 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:227 SO rule 49362 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:228 SO rule 49509 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:229 SO rule 49510 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:230 SO rule 49511 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:231 SO rule 49614 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:232 SO rule 49615 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:233 SO rule 49616 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:234 SO rule 49619 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:235 SO rule 50512 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:236 SO rule 50513 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:237 SO rule 50514 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:238 SO rule 50515 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:239 SO rule 50745 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:240 SO rule 51355 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:241 SO rule 52627 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:242 SO rule 52628 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:243 SO rule 52629 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:244 SO rule 52630 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:245 SO rule 52631 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:246 SO rule 52632 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:247 SO rule 53168 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:248 SO rule 53671 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:249 SO rule 53672 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:250 SO rule 53673 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:251 SO rule 53674 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:252 SO rule 53675 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:253 SO rule 53676 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:254 SO rule 53677 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:255 SO rule 53678 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:256 SO rule 53679 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:257 SO rule 53680 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:258 SO rule 53681 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:259 SO rule 53851 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:260 SO rule 54598 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:261 SO rule 54599 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:262 SO rule 54600 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:263 SO rule 54601 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:264 SO rule 56306 not loaded.
ERROR: /opt/snort/etc/rules/snort-pulledpork.rules:265 SO rule 57486 not loaded.

19 through 265 in the snort-pulledpork.rules are all the soid rules.

DigiAngel commented 3 years ago

Anyone?

colingrady commented 3 years ago

Apologies, not ignoring you. I just haven't had the time to work on this project at all the last few weeks. One of us will get to it when we are able.

DigiAngel commented 3 years ago

Appreciate it....I realize Defcon and BH take up everyone's time :)

colingrady commented 3 years ago

What does your /opt/snort/etc/rules/snort-pulledpork.rules file look like?

DigiAngel commented 3 years ago

It's beefy...looks solid...about 8846 active rules by the look of it...4.9 meg size. Screenshot from 2021-08-11 07-31-41

colingrady commented 3 years ago

When you run Snort are you including the SO rule path as suggested in the comments at the top of the file?

DigiAngel commented 3 years ago

Yes....it's the start of this ticket :) Screenshot from 2021-08-11 07-39-29

colingrady commented 3 years ago

So it is... drinks more coffee

DigiAngel commented 3 years ago

Welcome to my world!

DigiAngel commented 3 years ago

I can get this back to working state by manually copying files and making a couple tweaks to the included rule paths with a fresh lightspeed package if that would help? This is just on a test box so ya..anything goes really.

colingrady commented 3 years ago

I can get this back to working state by manually copying files and making a couple tweaks to the included rule paths with a fresh lightspeed package if that would help? This is just on a test box so ya..anything goes really.

Yes, please. That would be a great help.

DigiAngel commented 3 years ago

Ok....done....lint's fine..will include full output at the end. Here's the setup:

ips =
{

    enable_builtin_rules = true,
    rules = [[

        include /opt/snort/etc/rules/includes.rules
        include /opt/snort/etc/local.rules
        include /opt/snort/etc/rules/so_rules/includes.rules
    ]],

    variables = default_variables
}

in the lightspd dir:

sudo cp -R builtins/* /opt/snort/etc/rules/builtins
sudo cp -R modules/3.1.9.0/ubuntu-x64/so_rules/ /opt/snort/etc/rules/
sudo cp -R modules/stubs/* /opt/snort/etc/rules/so_rules/
sudo cp -R rules/*/*.rules /opt/snort/etc/rules/

here's a find within the rules dir...snips are where consecutive rules files were:

./snort3-file-office.rules
./snort3-deleted.rules
<snip>
./snort3-server-mail.rules
./snort3-server-other.rules
./includes.rules
./snort3-file-other.rules
./snort3-os-linux.rules
<snip>
./snort3-content-replace.rules
./snort3-policy-other.rules
./snort3-browser-plugins.rules
./snort3-pua-adware.rules
./builtins
./builtins/rulestates-security-ips.states
./builtins/builtins.rules
./builtins/rulestates-max-detect-ips.states
./builtins/rulestates-balanced-ips.states
./builtins/rulestates-no-rules-active.states
./builtins/rulestates-connectivity-ips.states
./snort3-pua-other.rules
./snort3-server-samba.rules
./snort3-malware-cnc.rules
./snort3-os-solaris.rules
./snort3-app-detect.rules
./snort3-browser-firefox.rules
./snort3-protocol-imap.rules
./snort3-protocol-icmp.rules
./snort3-file-multimedia.rules
./snort3-browser-ie.rules
./snort3-pua-toolbars.rules
./snort3-file-flash.rules
./so_rules
./so_rules/file-flash.rules
./so_rules/browser-ie.so
./so_rules/file-image.so
./so_rules/os-windows.rules
./so_rules/indicator-shellcode.so
<snip>
./so_rules/browser-chrome.so
./so_rules/protocol-tftp.rules
./so_rules/malware-cnc.rules
./so_rules/exploit-kit.so
./so_rules/os-other.rules
./so_rules/rulestates-connectivity-ips.states
./so_rules/server-webapp.rules
./snort3-file-identify.rules

lint

08:41:12 me@cape:/opt/snort/etc$] sudo /opt/snort/bin/snort --daq-dir=/opt/snort/libdaq/lib/daq --plugin-path=/opt/snort/etc/rules/so_rules -c /opt/snort/etc/snort.lua -T
--------------------------------------------------
o")~   Snort++ 3.1.9.0
--------------------------------------------------
Loading /opt/snort/etc/snort.lua:
Loading /opt/snort/etc/snort_defaults.lua:
Finished /opt/snort/etc/snort_defaults.lua:
Loading /opt/snort/etc/file_magic.lua:
Finished /opt/snort/etc/file_magic.lua:
Loading /opt/snort/etc/threshold.conf:
Finished /opt/snort/etc/threshold.conf:
    alert_syslog
    ssh
    hosts
    host_cache
    pop
    so_proxy
    stream_tcp
    smtp
    packets
    dce_http_proxy
    stream_icmp
    normalizer
    stream_udp
    alerts
    search_engine
    alert_fast
    suppress
    ips
    dce_smb
    binder
    wizard
    file_id
    port_scan
    dce_http_server
    dce_tcp
    ssl
    sip
    network
    http2_inspect
    host_tracker
    http_inspect
    stream_user
    stream_ip
    trace
    classifications
    active
    log_pcap
    decode
    daq
    stream
    references
    output
    process
    dns
    dce_udp
    imap
    stream_file
Finished /opt/snort/etc/snort.lua:
Loading ips.rules:
Loading /opt/snort/etc/rules/includes.rules:
Loading snort3-app-detect.rules:
Finished snort3-app-detect.rules:
Loading snort3-browser-chrome.rules:
Finished snort3-browser-chrome.rules:
Loading snort3-browser-firefox.rules:
Finished snort3-browser-firefox.rules:
Loading snort3-browser-ie.rules:
Finished snort3-browser-ie.rules:
Loading snort3-browser-other.rules:
Finished snort3-browser-other.rules:
Loading snort3-browser-plugins.rules:
Finished snort3-browser-plugins.rules:
Loading snort3-browser-webkit.rules:
Finished snort3-browser-webkit.rules:
Loading snort3-content-replace.rules:
Finished snort3-content-replace.rules:
Loading snort3-exploit-kit.rules:
Finished snort3-exploit-kit.rules:
Loading snort3-file-executable.rules:
Finished snort3-file-executable.rules:
Loading snort3-file-flash.rules:
Finished snort3-file-flash.rules:
Loading snort3-file-identify.rules:
Finished snort3-file-identify.rules:
Loading snort3-file-image.rules:
Finished snort3-file-image.rules:
Loading snort3-file-java.rules:
Finished snort3-file-java.rules:
Loading snort3-file-multimedia.rules:
Finished snort3-file-multimedia.rules:
Loading snort3-file-office.rules:
Finished snort3-file-office.rules:
Loading snort3-file-other.rules:
Finished snort3-file-other.rules:
Loading snort3-file-pdf.rules:
Finished snort3-file-pdf.rules:
Loading snort3-indicator-compromise.rules:
Finished snort3-indicator-compromise.rules:
Loading snort3-indicator-obfuscation.rules:
Finished snort3-indicator-obfuscation.rules:
Loading snort3-indicator-scan.rules:
Finished snort3-indicator-scan.rules:
Loading snort3-indicator-shellcode.rules:
Finished snort3-indicator-shellcode.rules:
Loading snort3-malware-backdoor.rules:
Finished snort3-malware-backdoor.rules:
Loading snort3-malware-cnc.rules:
Finished snort3-malware-cnc.rules:
Loading snort3-malware-other.rules:
Finished snort3-malware-other.rules:
Loading snort3-malware-tools.rules:
Finished snort3-malware-tools.rules:
Loading snort3-netbios.rules:
Finished snort3-netbios.rules:
Loading snort3-os-linux.rules:
Finished snort3-os-linux.rules:
Loading snort3-os-mobile.rules:
Finished snort3-os-mobile.rules:
Loading snort3-os-other.rules:
Finished snort3-os-other.rules:
Loading snort3-os-solaris.rules:
Finished snort3-os-solaris.rules:
Loading snort3-os-windows.rules:
Finished snort3-os-windows.rules:
Loading snort3-policy-multimedia.rules:
Finished snort3-policy-multimedia.rules:
Loading snort3-policy-other.rules:
Finished snort3-policy-other.rules:
Loading snort3-policy-social.rules:
Finished snort3-policy-social.rules:
Loading snort3-policy-spam.rules:
Finished snort3-policy-spam.rules:
Loading snort3-protocol-dns.rules:
Finished snort3-protocol-dns.rules:
Loading snort3-protocol-finger.rules:
Finished snort3-protocol-finger.rules:
Loading snort3-protocol-ftp.rules:
Finished snort3-protocol-ftp.rules:
Loading snort3-protocol-icmp.rules:
Finished snort3-protocol-icmp.rules:
Loading snort3-protocol-imap.rules:
Finished snort3-protocol-imap.rules:
Loading snort3-protocol-nntp.rules:
Finished snort3-protocol-nntp.rules:
Loading snort3-protocol-other.rules:
Finished snort3-protocol-other.rules:
Loading snort3-protocol-pop.rules:
Finished snort3-protocol-pop.rules:
Loading snort3-protocol-rpc.rules:
Finished snort3-protocol-rpc.rules:
Loading snort3-protocol-scada.rules:
Finished snort3-protocol-scada.rules:
Loading snort3-protocol-services.rules:
Finished snort3-protocol-services.rules:
Loading snort3-protocol-snmp.rules:
Finished snort3-protocol-snmp.rules:
Loading snort3-protocol-telnet.rules:
Finished snort3-protocol-telnet.rules:
Loading snort3-protocol-tftp.rules:
Finished snort3-protocol-tftp.rules:
Loading snort3-protocol-voip.rules:
Finished snort3-protocol-voip.rules:
Loading snort3-pua-adware.rules:
Finished snort3-pua-adware.rules:
Loading snort3-pua-other.rules:
Finished snort3-pua-other.rules:
Loading snort3-pua-p2p.rules:
Finished snort3-pua-p2p.rules:
Loading snort3-pua-toolbars.rules:
Finished snort3-pua-toolbars.rules:
Loading snort3-server-apache.rules:
Finished snort3-server-apache.rules:
Loading snort3-server-iis.rules:
Finished snort3-server-iis.rules:
Loading snort3-server-mail.rules:
Finished snort3-server-mail.rules:
Loading snort3-server-mssql.rules:
Finished snort3-server-mssql.rules:
Loading snort3-server-mysql.rules:
Finished snort3-server-mysql.rules:
Loading snort3-server-oracle.rules:
Finished snort3-server-oracle.rules:
Loading snort3-server-other.rules:
Finished snort3-server-other.rules:
Loading snort3-server-samba.rules:
Finished snort3-server-samba.rules:
Loading snort3-server-webapp.rules:
Finished snort3-server-webapp.rules:
Loading snort3-sql.rules:
Finished snort3-sql.rules:
Loading snort3-x11.rules:
Finished snort3-x11.rules:
Finished /opt/snort/etc/rules/includes.rules:
Loading /opt/snort/etc/local.rules:
Finished /opt/snort/etc/local.rules:
Loading /opt/snort/etc/rules/so_rules/includes.rules:
Loading browser-chrome.rules:
Finished browser-chrome.rules:
Loading browser-ie.rules:
Finished browser-ie.rules:
Loading browser-other.rules:
Finished browser-other.rules:
Loading browser-webkit.rules:
Finished browser-webkit.rules:
Loading exploit-kit.rules:
Finished exploit-kit.rules:
Loading file-executable.rules:
Finished file-executable.rules:
Loading file-flash.rules:
Finished file-flash.rules:
Loading file-image.rules:
Finished file-image.rules:
Loading file-java.rules:
Finished file-java.rules:
Loading file-multimedia.rules:
Finished file-multimedia.rules:
Loading file-office.rules:
Finished file-office.rules:
Loading file-other.rules:
Finished file-other.rules:
Loading file-pdf.rules:
Finished file-pdf.rules:
Loading indicator-shellcode.rules:
Finished indicator-shellcode.rules:
Loading malware-cnc.rules:
Finished malware-cnc.rules:
Loading malware-other.rules:
Finished malware-other.rules:
Loading netbios.rules:
Finished netbios.rules:
Loading os-linux.rules:
Finished os-linux.rules:
Loading os-other.rules:
Finished os-other.rules:
Loading os-windows.rules:
Finished os-windows.rules:
Loading policy-other.rules:
Finished policy-other.rules:
Loading policy-social.rules:
Finished policy-social.rules:
Loading protocol-dns.rules:
Finished protocol-dns.rules:
Loading protocol-other.rules:
Finished protocol-other.rules:
Loading protocol-scada.rules:
Finished protocol-scada.rules:
Loading protocol-snmp.rules:
Finished protocol-snmp.rules:
Loading protocol-tftp.rules:
Finished protocol-tftp.rules:
Loading protocol-voip.rules:
Finished protocol-voip.rules:
Loading server-iis.rules:
Finished server-iis.rules:
Loading server-mail.rules:
Finished server-mail.rules:
Loading server-mysql.rules:
Finished server-mysql.rules:
Loading server-oracle.rules:
Finished server-oracle.rules:
Loading server-other.rules:
Finished server-other.rules:
Loading server-webapp.rules:
Finished server-webapp.rules:
Finished /opt/snort/etc/rules/so_rules/includes.rules:
Finished ips.rules:
--------------------------------------------------
rule counts
       total rules loaded: 45436
               text rules: 42081
            builtin rules: 589
                 so rules: 2766
            option chains: 45436
            chain headers: 1820
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any    2556     427     490     310
     src   14722     168       0       0
     dst   26328    1285       0       0
    both     110      73       0       0
   total   43716    1953     490     310
--------------------------------------------------
ips policies rule stats
              id  loaded  shared enabled    file
               0   45436       0   45436    /opt/snort/etc/snort.lua
--------------------------------------------------
flowbits
                  defined: 703
              not checked: 65
--------------------------------------------------
service rule counts          to-srv  to-cli
                      bgp:        3       0
                   dcerpc:      108      21
                     dhcp:       49      20
                      dns:      283     114
                     drda:        5       0
                     file:       48      48
                      ftp:      199      23
                 ftp-data:      138   10389
                   gopher:        0       1
                     http:    13238   13709
                    http2:    13238   13709
                    ident:        1       0
                     igmp:        1       1
                     imap:      176   10635
                      ipp:        1       0
                      irc:       40      14
                     ircd:        9       3
                 java_rmi:       52       2
                 kerberos:       36       6
                     ldap:       42       8
                      ldp:        1       0
                     mdns:       12      11
                    mysql:       66       6
              netbios-dgm:       11      11
               netbios-ns:       15       5
              netbios-ssn:      567     135
                  netware:        2       0
                     nntp:        2       2
                      ntp:       37       8
                  openvpn:       16      16
                     pop3:      136   10638
               postgresql:        6       0
                  printer:        6       0
                   radius:        4       3
                      rdp:       11      17
                     rtmp:        1       4
                      rtp:        2       2
                     rtsp:       18       2
                      sip:      371      47
                     smtp:     9577      76
                     snmp:       80      18
                     ssdp:       13       0
                      ssh:        5       2
                      ssl:      196     207
                   sunrpc:      116      10
                   syslog:        4       0
                 teamview:        1       2
                   telnet:       64      18
                     tftp:       22       6
                      vnc:        4       1
               vnc-server:       11       4
                     wins:        3       0
                    total:    39047   59954
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:      284     996       4
--------------------------------------------------
fast pattern service groups  to-srv  to-cli
                   packet:       49      39
                      key:        6       2
                   header:       10      10
                     body:        8       0
                     file:       12       8
                  raw_key:        2       0
               raw_header:        2       0
                   method:        2       0
                stat_code:        0       2
                 stat_msg:        0       2
                   cookie:        2       0
--------------------------------------------------
search engine
--------------------------------------------------
pcap DAQ configured to passive.

Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting
DigiAngel commented 3 years ago

Any movement on this?

finchy commented 3 years ago

Don't think we've had any time to make movement on this, no.

DigiAngel commented 3 years ago

Completely understand..thank you.

NDietrich commented 3 years ago

I'm looking over this ticket now, and it looks like you're doing everything correctly. The error you're seeing tells me that when snort loads the single text rules file, it's encountering a number of rules that are .so rules, but for some reason it can't locate the necessary .so files, even though it looks like you have included them properly, and they exist in the folder.

I'm spooling up an ubuntu vm to test this on, since I can't seem to think of anything from what you've posted that could be causing this. If possible: can you run PP3 with the -vv flag (very verbose output). You can use tee or redirect the stdout to save the output to a text file and attach it to this ticket? PP3 should remove your oinkcode from the output automatically. You might also try deleting the contents of the so_rules folder before running PP3, we have an open ticket to add that functionality, but it hasn't been done yet, and (long shot) might be part of the problem.

I'll also assume you're running PP3 with elevated rights, and you're using the latest version of PP3 (last updated on July 24th)

NDietrich commented 3 years ago

Ok, I've re-created the issue on my system. I can't guarantee you have the same problem, but I suspect this is it. This is a bug (def. not a feature). The problem looks to be the way determines which folder to pull the .so file from (they're versioned). It should be looking for a folder version that is equal to or less than the actual version of snort running, but for some reason that's not working (I'll dig into the code, but I don't suspect a complicated fix, probably need to flip a greater than to a less than). Here's how I identified the issue, from the PP3 output (line 4 below gives it away):

Processing json manifest file /tmp/PulledPork-2021.08.30-14.28.11/extracted_rulesets/Talos_LightSPD/lightspd/manifest.json
Found 11 versions of snort in the manifest file:  ['3.1.9.0-0', '3.1.8.0-0', '3.1.7.1-73', '3.1.7.0-0', '3.1.10.0-0', '3.1.1.0-0', '3.1.0.1-174', '3.1.0.1-149', '3.1.0.0-0', '3.0.3-4', '3.0.3-1']
Looking for a version in the manifest file that is less than or equal to our current snort Version:  3.1.6.0
Using snort version 3.1.10.0-0 from lightSPD manifest file. Actual Snort version is:  3.1.6.0
policies_path from lightSPD Manifest file for snort 3.1.10.0-0 is:  policies/3.1.0.1-174/
modules_path from lightSPD Manifest file for snort 3.1.10.0-0 is:  modules/3.1.10.0/ubuntu-x64/

I'll track this down and let you know when it's fixed. If you copy the .so rules files from the correct folder in the LightSPD archive to /opt/snort/etc/rules/so_rules, it should not throw those errors. Noah

DigiAngel commented 3 years ago

Ok cool thanks. So originally I wasn't going to use pp as now that we don't have to dump stub rules it was really just a copy paste. It was when I started seeing different so rules directories that things got interesting. I know that the LightSPD package is designed for Firepower and what not...but maybe you could suggest making some symlinks? Say....if I'm running 3.1.8.0, but the so rules in 3.1.9.0 will work fine with them, then just have the package maintainer symlink them? At that point, for a pp and a manual copy paste perspective, it's simply a one for one when you script it....i.e. find the version of snort running/binary, and copy the correct version so_rules directory over and call it good. Just a thought :) Still need that pp -vv run?

NDietrich commented 3 years ago

Ok, this is slightly more challenging to solve due to the funky version numbers that occur in the LightSPD package. For example, here's what I see from the latest: ['3.1.9.0-0', '3.1.8.0-0', '3.1.7.1-73', '3.1.7.0-0', '3.1.10.0-0', '3.1.1.0-0', '3.1.0.1-174', '3.1.0.1-149', '3.1.0.0-0', '3.0.3-4', '3.0.3-1']

if those existed without the hyphen, this would be simple (one liner). however you see some of those early versions (3.0.3-4) dont' really line up. What i'll probably do is swap the hyphen with a dot, and for those two early ones that only have n.n.n-x, I'll modify it to n.n.n.0-x. That'll allow for an easy sort.

DigiAngel commented 3 years ago

Pimpy....can't wait to see the results :)

NDietrich commented 3 years ago

@DigiAngel : Don't need the -vv yet, I found a bug and i'm fixgin it. regarding symlinks: they aren't needed. The idea is that you find the folder version that matches your version of snort, and if there isn't an exact match, you find the folder with the most recent version below your version number. PP will determine your version of Snort (parses the output of snort -v if you don't specify the version number in your PP.conf), and then it looks for the correct .so rules folder, based on that version number. What you're suggesting is what we do (when it works).

DigiAngel commented 3 years ago

LoL...awesome....happy to be part of the process :)

NDietrich commented 3 years ago

This should be fixed now. Solution wasn't as clean as I would have liked, due to different numbering schemes in the LightSPD file, but after normalization of the numbering it looks good. Please test with the latest version from git.

kronnk commented 2 years ago

you have to include the path to the so_rules using --plugin-path $Path when running snort

ghost commented 1 year ago

@Crono-dev is right, just do for example: /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua --plugin-path /usr/local/etc/so_rules/ -s 65535 -k none -l /var/log/snort -i eth0 -m0x1b

if you installed from documentation on Ubuntu I had same issue like you showed.