Not placing .so rule in directory

[GoogleCodeExporter]

What steps will reproduce the problem?
Either a fresh install of Snort, test on 2.9.0.3 and 2.9.0.4, or while 
upgrading the rules after manually placing them in the proper directory. 

What is the expected output? What do you see instead?
The expected output would be to have the .so placed in the proper directory.

What version of the product are you using? On what operating system?
Snort versions listed above, PulledPork 0.50.  Ubuntu 10.04 both i686 and 
x86_64.

Please provide any additional information below.

Original issue reported on code.google.com by joe.ged...@gmail.com on 19 Feb 2011 at 12:58

[GoogleCodeExporter]

Can you provide your config file and tell me where you expect to see the files 
placed?

Original comment by Cummin...@gmail.com on 19 Feb 2011 at 3:07

[GoogleCodeExporter]

The configuration file is pasted below.  The defined location for the
*.so rules is /usr/lib/snort_dynamicrules/  If you need the snort
package that is installed please let me know and I can give you that
too.

# Config file for pulledpork
# Be sure to read through the entire configuration file
# If you specify any of these items on the command line, it WILL take
# precedence over any value that you specify in this file!

#######
#######  The below section defines what your oinkcode is (required for
#######  VRT rules), defines a temp path (must be writable) and also
#######  defines what version of rules that you are getting (for your
#######  snort version and subscription etc...)
#######

# The rule_url value replaces the old base_url and rule_file configuration
# options.  You can now specify one or as many rule_urls as you like, they
# must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You
can specify
# each on an individual line, or you can specify them in a , separated list
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
# note that the url, rule file, and oinkcode itself are separated by a pipe |
# i.e. url|tarball|123456789,

rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot.tar.gz|<oink
code removed>
# rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open

# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!

# rule_url=http://rules.emergingthreats.net/|etpro.rules.tar.gz|<et oinkcode>

# NOTE above that the VRT snortrules-snapshot does not contain the version
# portion of the tarball name, this is because PP now automatically populates
# this value for you, if, however you put the version information in, PP will
# NOT populate this value but will use your value!

# Specify the rule categories to ignore from the tarball, these defaults are
# a pretty good starting place. These must be comma separated and have
no spaces.
# Note that these are based on the VRT ruleset

ignore=deleted,experimental,local,policy

# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
# previous ignore line and uncomment the following!
# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data

# Define your Oinkcode - DEPRICATED, SEE RULE_URL
# oinkcode=replacethiswi

# What is our temp path, be sure this path has a bit of space for rule
# extraction and manipulation, no trailing slash

temp_path=/var/lib/pulledpork

#######
#######  The below section is for rule processing.  This section is
#######  required if you are not specifying the configuration using
#######  runtime switches.  Note that runtime switches do SUPERSEED
#######  any values that you have specified here!
#######

# What path you want the .rules file containing all of the processed
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!

rule_path=/etc/snort/rules/snort.rules

# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain your
# local.rules metadata (msg) information.  You can specify other rules
# files that are local to your system here by adding a comma and more paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules

local_rules=/etc/snort/rules/local.rules

# Where should I put the sid-msg.map file?

sid_msg=/etc/snort/sid-msg.map

# Where do you want me to put the sid changelog?  This is a changelog
# that pulledpork maintains of all new sids that are imported

sid_changelog=/var/log/sid_changes.log

# this value is optional

#######
#######  The below section is for so_rule processing only.  If you don't
#######  need to use them.. then comment this section out!
#######  Alternately, if you are not using pulledpork to process
#######  so_rules, you can specify -T at runtime to bypass this altogether
#######

# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash

sorule_path=/usr/lib/snort_dynamicrules/

# Path to the snort binary, we need this to generate the stub files

snort_path=/usr/sbin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files

config_path=/etc/snort/snort.conf

# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the
rules_path!

sostub_path=/etc/snort/rules/so_rules.rules

# Define your distro, this is for the precompiled shared object libs!
# Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
# CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
# FC-5, FC-9, FC-11, FC-12, RHEL-5.0
# FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1
distro=Ubuntu-10.04

#######  This next section is optional, but probably pretty useful to you.
#######  Effectively list the path to the pid files that you want
#######  us to send a HUP signal to after we run, i.e. snort, barnyard,
#######  barnyard2 etc..  This list should be separated by comas only
#######  HINT: Unless you have specified the pid file for snort, it is
#######  generally snort_int.pid where int is the sniffing interface
#######  The same is true for barnyard2 (it is based on snort after all).

# Where do you want the signature docs to be copied, if this is commented
# out then they will not be copied / extracted.  Note that extracting them
# will add considerable runtime to pulledpork.
# docs=/path/to/base/www

# The following option, state_order, allows you to more finely control the order
# that pulledpork performs the modify operations, specifically the enablesid
# disablesid and dropsid functions.  An example use case here would be to
# disable an entire category and later enable only a rule or two out of it.
# the valid values are disable, drop, and enable.
# state_order=disable,drop,enable

# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
# and so on...
# pid_path=/var/run/snort_eth0.pid

# This defines the version of snort that you are using, for use ONLY if the
# proper snort binary is not on the system that you are fetching the rules with
# Defining this value will set the Textonly flag, and thus will NOT allow
# you to use shared object rules.  This value MUST contain all 4 minor version
# numbers. ET rules are now also dependant on this, verify supported ET versions
# prior to simply throwing rubbish in this variable kthx!
# snort_version=2.9.0.0

# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.

 enablesid=/etc/pulledpork/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
 disablesid=/etc/pulledpork/disablesid.conf
 modifysid=/etc/pulledpork/modifysid.conf

# What is the base ruleset that you want to use, please uncomment to use
# and see the README.RULESETS for a description of the options.
# Note that setting this value will disable all ET rulesets if you are
# Running such rulesets
# ips_policy=security

####### Remember, a number of these values are optional.. if you don't
####### need to process so_rules, simply comment out the so_rule section
####### you can also specify -T at runtime to process only GID 1 rules.

version=0.5.0

Original comment by joe.ged...@gmail.com on 19 Feb 2011 at 6:31

[GoogleCodeExporter]

Are you a registered user or a subscriber?.. i.e. do you pay for the rules?

Original comment by Cummin...@gmail.com on 21 Feb 2011 at 1:55

[GoogleCodeExporter]

Subscriber, yes the rules are bought and paid for.

Original comment by joe.ged...@gmail.com on 22 Feb 2011 at 12:12

[GoogleCodeExporter]

Can you provide the variable output from a verbose run?

Original comment by Cummin...@gmail.com on 7 Mar 2011 at 2:56

[GoogleCodeExporter]

Re-pinging for -vv output 

Original comment by Cummin...@gmail.com on 28 Mar 2011 at 5:58

[GoogleCodeExporter]

Closing ticket as invalid, no response and unable to reproduce the issue.

Original comment by Cummin...@gmail.com on 7 Jun 2011 at 4:15

• Changed state: Invalid