Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ASN1 question

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 19 Dec 2012 16:18:59 -0500
On Dec 19, 2012, at 2:51 PM, Eric G <eric () nixwizard net> wrote:


On Dec 18, 2012 3:40 PM, "Patrick Mullen" <pmullen () sourcefire com> wrote:


James,

ASN.1 stuff really has to be done using an SO rule.


I don't mean to thread hijack, but I thought SO rules were used solely for rule obsfucation... your reply to the 
original question kind of implies more advanced rule logic can be rolled into SO rules, presumably at the expense of 
some performance in rule processing. Is that correct?

I'm just trying to strengthen my Snort Kung Fu a bit... didn't know SO rules can be used like that


SO rules are rules written in C.  Their main use is to do things in Snort that you can't do in a regular rule language. 
 Complex math, loops, advanced comparison stuff.

Someone has went out on the internet and said that SO rules are strictly used for hiding things, spreading FUD around, 
and it's gotten around so much that you wind up being lied to and having to believe what you are told.

We used to use (and still do for very very few things) SO rules to obfuscate detection that we would receive advanced 
notice about from certain vendors.  But we haven't put out an obfuscated SO rule for that type of stuff for almost two 
years. 

We can also put out rules for vulnerabilities that we discover that we've reported that vendors have not fixed yet so 
that people are protected.  But the primary use of SO rules (and the large majority of SO rules) is for extremely 
complex detection that can't be done via the Snort rule language, regardless of platform.

We still have been releasing SO rules (with their source code, right in the tarball!) for complex things that no other 
engine can cover.  We try and avoid SO rules at all costs, but sometimes it's the only correct way to write detection 
for vulnerabilities, and we have to do it.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: