Snort mailing list archives
Re: Difference between Dynamic library rules vs regular rules in snort.conf?
From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Thu, 22 Jul 2010 12:25:35 -0400
Seconded... I got the same understanding from the class... the rulesets are not functionally equivalent, and as such both rulesets should be run if you want to have the maximum coverage possible in those domains. -Parker _____ From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Thursday, July 22, 2010 12:11 PM To: Chan, Wilson; snort-users () lists sourceforge net Subject: Re: [Snort-users] Difference between Dynamic library rules vs regular rules in snort.conf? I was told, in a SourceFire training course (Snort Rule Writing Best Practices, which I highly recommend!) by the instructor that all the stuff in the so_rules was also in the text rules and that you didn't need to run the so_rules. My understanding (from asking on this list), and I brought it up in the class, is that you DO have to run both rulesets to have complete protection, since some vulnerabilities/rules are not made public by VRT/SourceFire due to agreements with vendors, and those rules are ONLY in the so_rules. So, IMO, it's important to run both rulesets. Although, I understand the reasoning behind the so_rule format, it's annoying that you can't see into the rule. I find myself doing that a lot when I see an alert to try to understand why it fired... The [rule] link in BASE is great for this, but for so_rules it doesn't tell you much. _____ From: Chan, Wilson [mailto:wchan () honolulu gov] Sent: Wednesday, July 21, 2010 5:08 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Difference between Dynamic library rules vs regular rules in snort.conf? What's the difference from the regular rules vs the so_rules? Can you enable both? Thanks! include RULE_PATH/bad-traffic.rules include RULE_PATH/chat.rules include RULE_PATH/dos.rules include RULE_PATH/exploit.rules include RULE_PATH/imap.rules include RULE_PATH/misc.rules include RULE_PATH/multimedia.rules include RULE_PATH/netbios.rules include RULE_PATH/nntp.rules include RULE_PATH/p2p.rules include RULE_PATH/smtp.rules include RULE_PATH/sql.rules include RULE_PATH/web-activex.rules include RULE_PATH/web-client.rules include RULE_PATH/web-misc.rules # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-misc.rules Wilson Chan
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Difference between Dynamic library rules vs regular rules in snort.conf? Chan, Wilson (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jefferson, Shawn (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Crook, Parker (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Alan Ptak (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)