Snort mailing list archives
Re: stuck with google is your friend time only
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Thu, 31 Mar 2011 13:05:42 -0400
On Thu, 31 Mar 2011 18:50:25 +0200, Crusty Saint wrote:
Hi Nigel, Thanks for the reply, i'm no native english speaker ... what's a stub file ? *blush*
Ahh, sorry, my bad. That's what we call the rules that go with the shared object binaries. Since they don't contain the detection keywords used in normal rules and they are only used to turn the shared object rules on and off, we call them stub rules. They look like this: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SQL Microsoft SQL Server Backup Database File integer overflow attempt"; sid:13888; gid:3; rev:4; classtype:attempted-admin; flowbits:isset,backup_file.request; reference:cve,2008-0107; reference:url,www.microsoft.com/technet/security/bulletin/MS08-040.mspx; metadata: engine shared, soid 3|13888, policy balanced-ips drop, policy security-ips drop;) As you can see, it follows the structure of a normal Snort rule, but it only contains the meta-data for the rule. You will find them in the rules files in the so_rules directory of the rules tarball, they are named like the regular Snort rule files so when you use them you should place them in a different directory or rename them so you don't overwrite the regular rule files of the same name. In your snort.conf you should see the SO_RULE_PATH variable and the "include" statements later that use this variable to enable the shared object rules. You just set the variable and uncomment the rules you want to use just like with regular rules. There's also an old blog post by some dude about how to use them and what to put in your snort.conf: http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stuck with google is your friend time only Crusty Saint (Mar 31)
- Re: stuck with google is your friend time only Nigel Houghton (Mar 31)
- Re: stuck with google is your friend time only Crusty Saint (Mar 31)
- Re: stuck with google is your friend time only Nigel Houghton (Mar 31)
- Re: stuck with google is your friend time only Crusty Saint (Mar 31)
- Re: stuck with google is your friend time only Crusty Saint (Mar 31)
- Re: stuck with google is your friend time only Nigel Houghton (Mar 31)