Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Clarification on so_rules

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 09 Aug 2013 10:07:42 -0600
All,

I'm wanting to make sure I have this correct, so here goes.  According 
to so_rules/src/README:

To use the shared object rules, the rule stub files must be generated.
To do this, follow these instructions:

  1. Make sure the dynamic preprocessor and dynamic engine paths are
     defined in snort.conf, for example:

  dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor
  dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

  2. Make sure the path to the location of the shared object rules is
     also defined in snort.conf, for example:

  dynamicdetection directory /usr/local/lib/snort_dynamicrule

  3. Dump the stub rules by issuing the command:

  snort -c /usr/local/etc/snort/snort.conf 
--dump-dynamic-rules=/usr/local/etc/snort/so_rules

  4. Use a variable to define the path to the stub rules, for example:

  var SO_RULE_PATH /usr/local/etc/snort/so_rules

  5. Include the generated stub rule files in snort.conf in the same way
     the regular rules are included, for example:

  include $SO_RULE_PATH/netbios.rules


I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules is 
created...so far so good.  My question is, what happens with the actual 
.so files?  Do I delete them..move them...something else?  Thanks for 
any insight.

James

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: