Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[snort-user] Confused about so_rules

From: Mayur Patil <ram.nath241089 () gmail com>
Date: Wed, 4 Sep 2013 14:55:03 +0530
Hi,

   If rule files are already present in directory /etc/snort/so_rules

   why we need to create them again?

 from manual,

   3. Dump the stub rules by issuing the command:

   snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules

   4. Use a variable to define the path to the stub rules, for example:

       var $SO_RULE_PATH /etc/snort/so_rules

My questions are:

*1.   What is meant by "dump the stub rules"?*

  I have try to compile from source in  /so_rules/src directory by giving
make

  command but it is giving error

  so
*
2. how to compile rules direct so_rules C files?* *and is it necessary that
we need to create text rules for so_rules though we have c language rules??*

I have referred these links

http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html

http://searchitchannel.techtarget.com/tip/How-to-use-shared-object-rules-in-Snort

but

*3. not getting how to compile my own so_rules in C language and use it ?*

I am getting error
snort[3936]: Encoded Rule Plugin SID: 17132, GID: 3 not registered
properly. Disabling this rule.

where I have include rule in snort file.

I have referred these links:

http://seclists.org/snort/2012/q2/616

http://forum.pfsense.org/index.php?topic=30289.0

http://comments.gmane.org/gmane.comp.security.ids.snort.general/34197

Its very confusing,

Please guide me,

Thanks !
*
--
*
*Cheers,
Mayur*

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: