Snort mailing list archives
Re: Rule performance profiling question
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 16 Sep 2010 11:46:20 -0400
There are many reasons that SO rules are made. ONE of which is that Sourcefire has agreements with organizations that obfuscation of the detection method for those rules is necessary. SO rules are also "C". This allows a lot more complex detection than is available in the plaintext Snort language. For example, if we have to take two dynamically calculated numbers from two different parsed file formats and compare them to each other. Joel On Thu, Sep 16, 2010 at 11:24 AM, waldo kitty <wkitty42 () windstream net>wrote:
On 9/16/2010 09:07, Andy Berryman wrote:Joel wrote that they “both are SO rules.” What does that have to do with it? Does it make a difference that theyare sorules?yes... because they are GID:3 while the normal text rules in the *.rules files are GID:1... GID:3 are binary and if one is not using them, one cannot locate their SID ;) with GID:3 being binary, there is also the problem of them having to be distributed in pre-compiled format... that means that they must be compatible with one's kernel and environment... if there are no pre-compiled rules that fit one's kernel and environment, then one cannot use GID:3 rules at all... well, not unless their source is available and can be compiled for one's environment... however, making the source for GID:3 rules available negates the reason for their existence in the first place... that reason is to prevent folk from seeing what is being detected and how so that they cannot work to avoid the detection... IIUC, GID:3 rules detect traffic problems that have not yet been made public... ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule performance profiling question Andy Berryman (Sep 15)
- Re: Rule performance profiling question Alex Kirk (Sep 15)
- Re: Rule performance profiling question Andy Berryman (Sep 16)
- Re: Rule performance profiling question Joel Esler (Sep 16)
- Re: Rule performance profiling question waldo kitty (Sep 16)
- Re: Rule performance profiling question waldo kitty (Sep 16)
- Re: Rule performance profiling question Joel Esler (Sep 16)
- Re: Rule performance profiling question Andy Berryman (Sep 16)
- Re: Rule performance profiling question Alex Kirk (Sep 15)
- Re: Rule performance profiling question Joel Esler (Sep 15)
- Re: Rule performance profiling question waldo kitty (Sep 15)
- Re: Rule performance profiling question Joel Esler (Sep 15)
- Re: Rule performance profiling question waldo kitty (Sep 15)