Home page logo
/

snort logo Snort mailing list archives

Re: Clarification on so_rules
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 09 Aug 2013 10:12:28 -0600

On 2013-08-09 10:10, Joel Esler wrote:
Pulledpork should take are of everything for you. You don't have to
do anything except turn them on via the snort.conf

And yes, you leave them there.

--
Joel Esler

On Aug 9, 2013, at 12:07 PM, James Lay <jlay () slave-tothe-box net> 
wrote:

All,

I'm wanting to make sure I have this correct, so here goes.  
According
to so_rules/src/README:

To use the shared object rules, the rule stub files must be 
generated.
To do this, follow these instructions:

 1. Make sure the dynamic preprocessor and dynamic engine paths are
    defined in snort.conf, for example:

 dynamicpreprocessor directory 
/usr/local/lib/snort_dynamicpreprocessor
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

 2. Make sure the path to the location of the shared object rules is
    also defined in snort.conf, for example:

 dynamicdetection directory /usr/local/lib/snort_dynamicrule

 3. Dump the stub rules by issuing the command:

 snort -c /usr/local/etc/snort/snort.conf
--dump-dynamic-rules=/usr/local/etc/snort/so_rules

 4. Use a variable to define the path to the stub rules, for 
example:

 var SO_RULE_PATH /usr/local/etc/snort/so_rules

 5. Include the generated stub rule files in snort.conf in the same 
way
    the regular rules are included, for example:

 include $SO_RULE_PATH/netbios.rules


I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules 
is
created...so far so good.  My question is, what happens with the 
actual
.so files?  Do I delete them..move them...something else?  Thanks 
for
any insight.

James

Awesome..thanks for the quick response Joel.

James

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault