Home page logo

snort logo Snort mailing list archives

Re: Clarification on so_rules
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 09 Aug 2013 10:12:28 -0600

On 2013-08-09 10:10, Joel Esler wrote:
Pulledpork should take are of everything for you. You don't have to
do anything except turn them on via the snort.conf

And yes, you leave them there.

Joel Esler

On Aug 9, 2013, at 12:07 PM, James Lay <jlay () slave-tothe-box net> 


I'm wanting to make sure I have this correct, so here goes.  
to so_rules/src/README:

To use the shared object rules, the rule stub files must be 
To do this, follow these instructions:

 1. Make sure the dynamic preprocessor and dynamic engine paths are
    defined in snort.conf, for example:

 dynamicpreprocessor directory 
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

 2. Make sure the path to the location of the shared object rules is
    also defined in snort.conf, for example:

 dynamicdetection directory /usr/local/lib/snort_dynamicrule

 3. Dump the stub rules by issuing the command:

 snort -c /usr/local/etc/snort/snort.conf

 4. Use a variable to define the path to the stub rules, for 

 var SO_RULE_PATH /usr/local/etc/snort/so_rules

 5. Include the generated stub rule files in snort.conf in the same 
    the regular rules are included, for example:

 include $SO_RULE_PATH/netbios.rules

I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules 
created...so far so good.  My question is, what happens with the 
.so files?  Do I delete them..move them...something else?  Thanks 
any insight.


Awesome..thanks for the quick response Joel.


Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]