Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Snort-users] Clarification on so_rules
142 views
Skip to first unread message
James Lay
Aug 9, 2013, 12:07:42 PM8/9/13
to
All,
I'm wanting to make sure I have this correct, so here goes. According
to so_rules/src/README:
To use the shared object rules, the rule stub files must be generated.
To do this, follow these instructions:
1. Make sure the dynamic preprocessor and dynamic engine paths are
defined in snort.conf, for example:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
2. Make sure the path to the location of the shared object rules is
also defined in snort.conf, for example:
dynamicdetection directory /usr/local/lib/snort_dynamicrule
3. Dump the stub rules by issuing the command:
snort -c /usr/local/etc/snort/snort.conf
--dump-dynamic-rules=/usr/local/etc/snort/so_rules
4. Use a variable to define the path to the stub rules, for example:
var SO_RULE_PATH /usr/local/etc/snort/so_rules
5. Include the generated stub rule files in snort.conf in the same way
the regular rules are included, for example:
include $SO_RULE_PATH/netbios.rules
I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules is
created...so far so good. My question is, what happens with the actual
.so files? Do I delete them..move them...something else? Thanks for
any insight.
James
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
I'm wanting to make sure I have this correct, so here goes. According
to so_rules/src/README:
To use the shared object rules, the rule stub files must be generated.
To do this, follow these instructions:
1. Make sure the dynamic preprocessor and dynamic engine paths are
defined in snort.conf, for example:
dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
2. Make sure the path to the location of the shared object rules is
also defined in snort.conf, for example:
dynamicdetection directory /usr/local/lib/snort_dynamicrule
3. Dump the stub rules by issuing the command:
snort -c /usr/local/etc/snort/snort.conf
--dump-dynamic-rules=/usr/local/etc/snort/so_rules
4. Use a variable to define the path to the stub rules, for example:
var SO_RULE_PATH /usr/local/etc/snort/so_rules
5. Include the generated stub rule files in snort.conf in the same way
the regular rules are included, for example:
include $SO_RULE_PATH/netbios.rules
I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules is
created...so far so good. My question is, what happens with the actual
.so files? Do I delete them..move them...something else? Thanks for
any insight.
James
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Joel Esler
Aug 9, 2013, 12:10:20 PM8/9/13
to
Pulledpork should take are of everything for you. You don't have to do anything except turn them on via the snort.conf
And yes, you leave them there.
--
Joel Esler
And yes, you leave them there.
--
Joel Esler
James Lay
Aug 9, 2013, 12:12:28 PM8/9/13
to
Y M
Aug 9, 2013, 12:21:35 PM8/9/13
to
Hi James,
I will take a shot explaining what I understand, if I get it wrong, someone please correct me.
PulledPork should copy the .so rules from the distro/precompiled directory based on the distro variable you setup in your pulledpork.conf. If you use -T in your pulledpork command, it will process only text based rules.
I will take a shot explaining what I understand, if I get it wrong, someone please correct me.
PulledPork should copy the .so rules from the distro/precompiled directory based on the distro variable you setup in your pulledpork.conf. If you use -T in your pulledpork command, it will process only text based rules.
From: James Lay
Sent: 8/9/2013 7:09 PM
To: Snort-users
Subject: [Snort-users] Clarification on so_rules
James Lay
Aug 9, 2013, 12:32:05 PM8/9/13
to
On 2013-08-09 10:21, Y M wrote:
> Hi James,
>
> I will take a shot explaining what I understand, if I get it wrong,
> someone please correct me.
>
> PulledPork should copy the .so rules from the distro/precompiled
> directory based on the distro variable you setup in your
> pulledpork.conf. If you use -T in your pulledpork command, it will
> process only text based rules.
>
Thanks YM...here's what I have in pp.conf:
> Hi James,
>
> I will take a shot explaining what I understand, if I get it wrong,
> someone please correct me.
>
> PulledPork should copy the .so rules from the distro/precompiled
> directory based on the distro variable you setup in your
> pulledpork.conf. If you use -T in your pulledpork command, it will
> process only text based rules.
>
sorule_path=/opt/lib/snort_dynamicrules/
snort_path=/opt/bin/snort
config_path=/opt/etc/snort/intsnort.conf
sostub_path=/opt/etc/snort/rules/so_rules/so_rules.rules
distro=Ubuntu-12-04
As Joel said, it looks like this is doing what it's supposed to
do...the actual .so rules don't seem to be present however...I'm
assuming they are supposed to be in /opt/lib/snort_dynamicrules/ yes?
waldo kitty
Aug 10, 2013, 1:57:26 AM8/10/13
to
On 8/9/2013 12:07, James Lay wrote:
> I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules is
> created...so far so good. My question is, what happens with the actual
> .so files? Do I delete them..move them...something else? Thanks for
> any insight.
just to add... no, you cannot remove the binary so rules files... the stubs that
> I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules is
> created...so far so good. My question is, what happens with the actual
> .so files? Do I delete them..move them...something else? Thanks for
> any insight.
are generated are just that, textual stubs... the binaries are still required...
the thing about the stubs is that you can comment out one of them to disable
that rules just like commenting out one of the normal textual rules...
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
0 new messages