mailing list archives
Re: Clarification on so_rules
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 09 Aug 2013 10:12:28 -0600
On 2013-08-09 10:10, Joel Esler wrote:
Pulledpork should take are of everything for you. You don't have to
do anything except turn them on via the snort.conf
And yes, you leave them there.
On Aug 9, 2013, at 12:07 PM, James Lay <jlay () slave-tothe-box net>
I'm wanting to make sure I have this correct, so here goes.
To use the shared object rules, the rule stub files must be
To do this, follow these instructions:
1. Make sure the dynamic preprocessor and dynamic engine paths are
defined in snort.conf, for example:
2. Make sure the path to the location of the shared object rules is
also defined in snort.conf, for example:
dynamicdetection directory /usr/local/lib/snort_dynamicrule
3. Dump the stub rules by issuing the command:
snort -c /usr/local/etc/snort/snort.conf
4. Use a variable to define the path to the stub rules, for
var SO_RULE_PATH /usr/local/etc/snort/so_rules
5. Include the generated stub rule files in snort.conf in the same
the regular rules are included, for example:
I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules
created...so far so good. My question is, what happens with the
.so files? Do I delete them..move them...something else? Thanks
Awesome..thanks for the quick response Joel.
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!