Re: Precomplies so_rules for debian 8 (snortrules-snapshot-2980.tar.gz)

[wkitty42 () windstream net]

On 02/18/2016 05:18 AM, Balasubramaniam Natarajan wrote:
> On Tue, Feb 16, 2016 at 10:54 PM, <wkitty42 () windstream net> wrote:
>
>     IIRC, compiling them should be as simple as running make... that means a build
>     environment which is generally undesirable on a security device but one could
>     easily have a central server that pulls the rules, compiles the so_rules and
>     then all the sensors pull from that central server instead of from outside
>     servers...
>
> I don't think Sourcefire or now Cisco would ship the source code of those.
> That is why they were shipping the precompiled versions of those.

you might want to take a closer look at the rules snapshot files, then... in the 
ones i have available here, there is a so_rules/src directory with 166 .c and .h 
files along with a make file, readme and a test.conf file... looking in the 
so_rules/precompiled directory, i see 32 .so files in each one... how the make 
process puts them all together is majik to me ;)

granted, not all precompiled rules have their sources in the src directory but a 
lot of them appear to... i haven't tried building them in a while so i don't 
know how many .so files will be generated and my build environment where i used 
to play with this stuff is old and outdated now... one should look at the 
makefile and ensure that they compile what they need (eg: 
--enable-non-ether-encoders requires changes) when they compile their snort and 
the shared object rules to go with it...

> I do agree to your second statement of not having build environment on
> security devices.

thank you :)

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!