Snort mailing list archives
Re: Quick question about so_rules. I tried searching first......
From: Joel Esler <joel.esler () me com>
Date: Tue, 16 Mar 2010 18:59:22 -0400
Also, this may help: http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html Joel On Mar 16, 2010, at 6:56 PM, Matt Olney wrote:
Rule stub -> alert ip any any -> any any (msg:"BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt"; sid:13287; gid:3; rev:3; classtype:attempted-admin; reference:cve,2007-0069; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-001.mspx; metadata: engine shared, soid 3|13287;) Don't cat this, its your compiled detection --> /usr/local/lib/snort_dynamicrule/bad-traffic.so Make sure you have that location in your snort.conf --> dynamicdetection directory /usr/local/lib/snort_dynamicrules (Make sure you know if there is an s or not in snort_dynamicrules your example didn't have one) Let us know how it goes. Matt On Tue, Mar 16, 2010 at 5:38 PM, Andy Berryman <aberryman () cymtec com> wrote:I tried pulling up the archives, but it's saying it's not activated? http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Anyway, I'm trying to wrap my head around so_rules and thought I was in the clear, but just want to double check. If we download the subscription release from url = http://www.snort.org/pub-bin/oinkmaster.cgi/oinkcode/snortrules-snapshot-2.8_s.tar.gz and untar it and use the FC-5 rule set, do we still need to generate the stub rules? I'm reading this document, and it's got me confused a little. http://www.snort.org/snort-rules/about-so_rules If I "cat /usr/local/lib/snort_dynamicrule/bad-traffic.so" I get all kinds of gooble-gook on my screen as the rules scroll by. I'm assuming its b/c they are in programming code. But, if I go to /usr/local/etc/snort/so_rules and cat bad-traffic.rules, I see actual rules scroll by like this one: alert ip any any -> any any (msg:"BAD-TRAFFIC Windows remote kernel tcp/ip igmp vulnerability exploit attempt"; sid:13287; gid:3; rev:3; classtype:attempted-admin; reference:cve,2007-0069; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-001.mspx; metadata: engine shared, soid 3|13287;) So, does this mean my rules and rule stubs are being generated correctly? Or since we are using the precompiled FC-5 rules, do I even need to worry about them being generated? Do, I just need to make sure my snort_dynamicrule directory is there and the so_rules are there from the FC-5 so_rules directory? Thanks, Andy Berryman ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler http://blog.joelesler.net ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Quick question about so_rules. I tried searching first...... Andy Berryman (Mar 16)
- Re: Quick question about so_rules. I tried searching first...... Joel Esler (Mar 16)
- Re: Quick question about so_rules. I tried searching first...... Matt Olney (Mar 16)
- Re: Quick question about so_rules. I tried searching first...... Joel Esler (Mar 16)