Snort mailing list archives
Re: Difference between Dynamic library rules vs regular rules in snort.conf?
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 22 Jul 2010 13:26:44 -0400
No, there shouldn't be. On Jul 22, 2010, at 1:18 PM, Jason Wallace wrote:
While both gid:1 and gid:3 rules are needed, there is some overlap with gid:1,gid:3, and preprocessor rules though, right? It would be nice to have those overlaps identified somewhere. Wally On Thu, Jul 22, 2010 at 12:28 PM, Joel Esler <jesler () sourcefire com> wrote:you DO have to run them both. That's correct. On Jul 22, 2010, at 12:10 PM, Jefferson, Shawn wrote: I was told, in a SourceFire training course (Snort Rule Writing Best Practices, which I highly recommend!) by the instructor that all the stuff in the so_rules was also in the text rules and that you didn’t need to run the so_rules. My understanding (from asking on this list), and I brought it up in the class, is that you DO have to run both rulesets to have complete protection, since some vulnerabilities/rules are not made public by VRT/SourceFire due to agreements with vendors, and those rules are ONLY in the so_rules. So, IMO, it’s important to run both rulesets. Although, I understand the reasoning behind the so_rule format, it’s annoying that you can’t see into the rule. I find myself doing that a lot when I see an alert to try to understand why it fired… The [rule] link in BASE is great for this, but for so_rules it doesn’t tell you much. ________________________________ From: Chan, Wilson [mailto:wchan () honolulu gov] Sent: Wednesday, July 21, 2010 5:08 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Difference between Dynamic library rules vs regular rules in snort.conf? What’s the difference from the regular rules vs the so_rules? Can you enable both? Thanks! include RULE_PATH/bad-traffic.rules include RULE_PATH/chat.rules include RULE_PATH/dos.rules include RULE_PATH/exploit.rules include RULE_PATH/imap.rules include RULE_PATH/misc.rules include RULE_PATH/multimedia.rules include RULE_PATH/netbios.rules include RULE_PATH/nntp.rules include RULE_PATH/p2p.rules include RULE_PATH/smtp.rules include RULE_PATH/sql.rules include RULE_PATH/web-activex.rules include RULE_PATH/web-client.rules include RULE_PATH/web-misc.rules # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-misc.rules Wilson Chan ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Difference between Dynamic library rules vs regular rules in snort.conf? Chan, Wilson (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jefferson, Shawn (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Crook, Parker (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Alan Ptak (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)