Snort mailing list archives
Re: [Snort-sigs] VRT SO Rules for FreeBSD/amd64
From: Nigel Houghton <nhoughton () sourcefire com>
Date: Mon, 7 Feb 2011 14:22:01 -0500
On Mon, 7 Feb 2011 14:00:35 -0500, Michael Scheidell wrote:
this is why its so confusing. and, I don't think this really works. I have tried, several times over the years, and gave up long ago on so_rules. on the web site, it says: (is this wrong?) Using VRT Certified Shared Object Rules In order to instantiate shared object rules, a rule stub file is required. These stub files are not distributed in the VRT Certified rule packs, however they can be generated using snort. Here is an example showing the pertinent configuration options in snort.conf along with the command line option required to generate the stub files. In some installations, the files may well reside in /etc/, this example uses /usr/local/etc as the location for the configuration files. In snort.conf First set up some global variables: var CONF_PATH /usr/local/etc/snort var LIB_PATH /usr/local/lib var SORULE_PATH $CONF_PATH/so_rules Dynamic preprocessor and dynamic engine information: dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so Here is the configuration option that lists the location of the shared object files that snort is to use: dynamicdetection directory $LIB_PATH/snort_dynamicrule Dumping the rules To dump the rule stub files into the required location the --dump-dynamic-rules option is used like so: snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/usr/local/etc/snort/so_rules This command tells snort to use the snort.conf file where it will find the dynamic rule files (thanks to the configuration options above) and then use those files to generate the stub files and put them into /usr/local/etc/snort/so_rules/ After this is complete, the rule files appear in the directory. # ls /usr/local/etc/snort/so_rules/ bad-traffic.rules imap.rules nntp.rules web-client.rules chat.rules misc.rules p2p.rules web-misc.rules dos.rules multimedia.rules smtp.rules exploit.rules netbios.rules sql.rules I do that, and this happens: scanner2.secnap.com# snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/usr/local/etc/snort/so_rules Running in Rule Dump mode --== Initializing Snort ==-- Initializing Output Plugins! Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file "/usr/local/etc/snort/snort.conf" [snip] WARNING: ip4 normalizations disabled because not inlineWARNING: tcp normalizations disabled because not inlineWARNING: icmp4 normalizations disabled because not inlineFrag3 global config: [snip] Dumping dynamic rules... Finished dumping dynamic rules. Snort exiting scanner2.secnap.com# pwd /usr/local/etc/snort cd /usr/local/etc/snort/so_rules scanner2.secnap.com# ls cd /usr/local/etc/snort/so_rules /usr/local/etc/snort/so_rules: No such file or directory. scanner2.secnap.com# mkdir /usr/local/etc/snort/so_rules scanner2.secnap.com# snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/usr/local/etc/snort/so_rules Running in Rule Dump mode still nothing there.
We'll take a look at the --dump-dynamic-rules option. The website text is out of date though, as part of the shared object rule build process, the rule stubs are generated and shipped with the tar balls. Have been for some time, it prevents the problems some folks were having when trying to dump so rule stubs or forgetting to do so. That said, the option above should work. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VRT SO Rules for FreeBSD/amd64 Ryan Steinmetz (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Nigel Houghton (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Michael Scheidell (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 matan monitz (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Robert Z (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Michael Scheidell (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Robert Z (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Nigel Houghton (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 Randal T. Rioux (Feb 07)
- Re: VRT SO Rules for FreeBSD/amd64 matan monitz (Feb 07)
- Message not available
- Message not available
- Re: [Snort-sigs] VRT SO Rules for FreeBSD/amd64 Michael Scheidell (Feb 07)
- Re: [Snort-sigs] VRT SO Rules for FreeBSD/amd64 Nigel Houghton (Feb 07)
- Re: [Snort-sigs] VRT SO Rules for FreeBSD/amd64 Michael Scheidell (Feb 07)