Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SO rule XXXX not loaded #46

Closed
razausman opened this issue Dec 4, 2021 · 5 comments
Closed

SO rule XXXX not loaded #46

razausman opened this issue Dec 4, 2021 · 5 comments
Assignees
@NDietrich
Labels
bug Something isn't working

Comments

@razausman
Copy link

When i try to run snort using
snort -c /usr/local/etc/snort/snort.lua --plugin-path /usr/local/etc/so_rules/
I get the error
ERROR: ../rules/pulledpork.rules:19 SO rule xxxx not loaded.

pulledpork.conf has following option

community_ruleset = false
registered_ruleset = false
LightSPD_ruleset = true
oinkcode = b1c731eb74a69caxxxxxxxxxxx0811baa
snort_blocklist = true
et_blocklist = true
blocklist_path = /usr/local/etc/lists/default.blocklist
snort_path = /usr/local/bin/snort
ips_policy = balanced
rule_mode = simple
rule_path = /usr/local/etc/rules/pulledpork.rules
local_rules = /usr/local/etc/rules/local.rules
....
....

SO rules directory is populated

Any help appreciaed
@NDietrich
Copy link
Collaborator

Hello,
I can't tell if this is a PP3 or a snort error, I suspect that it's a snort.lua error.
can you attach your snort.lua file to this issue so i can check it out?
also, if you can run PulledPork3 with the -v flag (verbose) and pipe the output to a text file. if you can attach that output to this bug, we can better help troubleshoot.

@razausman
Copy link
Author

razausman commented Dec 7, 2021
edited by NDietrich
Loading

I failed to mention that this is on a RPi4 with Ubuntu could the distro value be a problem?
Description: Ubuntu 21.10

pp3_output_1.txt

snort_lua.txt

Thanks!

@NDietrich
Copy link
Collaborator

i've deleted the pp.conf from your comment since it includes your oinkcode, and the pulledpork output with the -v flag contains all the info we need.
looking these over, i'm not sure what the issue is. it certainly could be that you're running on a RPi4. Are you running Ubuntu on the RPi4?
is that the only error you get, or are there multiple errors? if only 1 error: can you comment out line 19 of your pulledpork.rules and try running snort again?

@NDietrich NDietrich self-assigned this Dec 7, 2021
@NDietrich NDietrich added the bug Something isn't working label Dec 7, 2021
@razausman
Copy link
Author

Thanks! (I had masked some of the oink code)
Yes I'm running Ubuntu 21.10 on rpi4.
There are 251 rules that dont load.
pulledpork_error.txt

When I comment out line 19 it still gives an error but reduces the error to 250.

@NDietrich
Copy link
Collaborator

So the Ubuntu-x64 pre-compiled rules won't work with the RPI, because those compiled rules are for the x64 architecture, and the RPI uses the ARM architecture.
there is no way to use pre-compiled rules at this time (we're working on adding manual compilation of the rules, but it's not done yet).
for now, in your pp.conf you should disable (comment out) the line starting with sorule_path to disable pre-compiled rules.
re-run pulledpork, and remove the --plugin_path option when running snort.

@Palantirr Palantirr mentioned this issue Nov 21, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NDietrich NDietrich

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@razausman @NDietrich