No rules in /usr/local/lib/snort_dynamicrules

[cm0s...@gmail.com]

When I run 'rule-update' it give an error that there are no rules in /usr/local/lib/snort_dynamicrules. And when I check, there are no rules there. When I run sostat it shows 0 rules. How can I populate the dynamic rules and how can I make sure that every update I do keeps it populated?

[Shane Castle]

Hi cm0ss820 (you never identify yourself any more than this -- may we know your
name?),

You won't get the dynamic rules, also known as SO-rules or precompiled rules,
unless you are registered with Snort or have a Snort rules subscription. They
are not supplied in the public community rules. Yes, this kinda sucks.

Emerging Threats has a similar arrangement, I understand, but I think their
precompiled rules require a paid subscription.

See the Snort documentation (https://www.snort.org/documents) for more info.
Since ET was acquired by Proofpoint, getting the paid subscription has become
more difficult and poorly documented. Here is the parent website:
https://www.proofpoint.com/us/threat-intelligence-overview

The community rules are linked to under the "Open Source Community" link on that
page, and the ETPro link gives not very much info. This is not as good as it
used to be in the old Bleeding Edge days. (Matt, you reading this?)

Some more info is available on the remnant of the old Emerging Threats wiki:
http://doc.emergingthreats.net/

--
Mit besten Grüßen
Shane Castle

[cm0s...@gmail.com]

Thank you for your quick reply. My name is Mike. I have looked at the links you listed. That helped a bit. I still have an issue that keeps repeating. I lose my 'enabled rules'. I looked in /etc/nsm/rules and everything seems to be there. The only empty files are: 1)black_list.rules 2)bpf.conf 3)local.rules 4)so_rules.rules 5)White_list.rules. Which of these empty rules would sostat be looking at? local_rules? so_rules? What do I need to do to get my 'enabled rules' to be seen and used by snort? Running 'rule-update' and 'sudo apt-get install --reinstall securityonion-pfring-module' does not help. All other output from sostat looks very good and appears the same as when the rules are being found by snort. The ONLY issue at this time is 'no enabled rules' yet they are there in /etc/nsm/rules/downloaded.rules. Again, any help would be greatly appreciated.

[Kevin Branch]

Shane,

I use Emerging Threats commercial feeds but I've never seen a precompiled rule from them.  I think that's just a Snort thing.  

Kevin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[cm0s...@gmail.com]

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

Thank you for the reply. I haven't found what is causing the issue yet. And I haven't been told whether I should copy the files from downloaded.files to one of the other empty files. I'm sure sostat and snort are looking at one of the empty files but I don't know which one and I don't know for sure if I should copy the downloaded to one of them or not. It may actually be that the rules that sostat and snort are looking for are somewhere else. I don't know enough about snort yet to know but I have been reading up on it. Problem is the snort files are old and out of date and I'm not sure what security onion has modified to enable snort on 14.04.4.1 and the update to 14.04. Whatever is causing this issue happens over and over and is my #1 problem. I seem to have solved all my other original issues. This is one that has been from the beginning and is still happening. Only the networking rules are missing. All the others are working. All the servers are showing OK. Just missing the RULES. Any further help would be greatly appreciated.

[cm0s...@gmail.com]

Post "An observation on rule-update" by Shane Castle solved my problem.

"date >> /var/log/nsm/pulledpork.log
/usr/bin/rule-update 2>&1 | tee -a /var/log/nsm/pulledpork.log"

That fixed my issue. Thank you.

[Shane Castle]

Mike, you are quite welcome. I was going to post a reply pointing out the reason
why you were not seeing the rule-update results in sostat, but your research
beat me to it.

As you probably noticed, Doug has created an issue for this problem where sostat
is unaware of the results if rule-update is run outside of cron.

--
Mit besten Grüßen
Shane Castle

[cm0s...@gmail.com]

Thanks to your help I went ahead and changed over to the ruleset using the oinkcode. I still have to manually run your code but now it does show it. Also, instead of using 'sudo soup' to update my system (since it broke it every time) I decided to try using the graphical updater (which I had never tried) and for reasons I don't understand the update did not break the system this time. All is updated, using oinccode ruleset, and all running smoothly. Thank you all for your patience and help.