Snort mailing list archives
Re: Question on compiled (.so) rules with Snort3 from the LightSPD ruleset
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sat, 11 Dec 2021 12:30:39 +0200
adding the snort-devel list as well, as i have some compilation questions on the lightspd ruleset. I managed to get rules compiled note: i had to install the snort_extras package before rules would compile. After downloading the latest LightSPD package (version 2021-12-08-001), the registered (not paid) version: I extract the TGZ and navigate into lightspd/modules/src. I fixed a few things: 1. chmod a+x generate_category.sh 2. modify the makefile so that the prefix is /usr/local (line 1) PREFIX ?= /usr/local i run make, and the .so and .rules files are created with no errors. I copy the rules and so files to their respective locations and run snort (with the default snort.lua): snort -c /usr/local/etc/snort/snort.lua --rule-path /usr/local/etc/rules --plugin-path /usr/local/etc/so_rules/ This works, and I load 96 rules. However, when I use the pre-compiled rules, I get closer to 3000 rules loaded. Am I doing something wrong, or do the .cc rules not provide as many rules as the pre-compiled rules for each distro? thanks Noah On Thu, Dec 9, 2021 at 9:02 PM Noah Dietrich <noah_dietrich () 86penny org> wrote:
I'm working on adding functionality to PulledPork3, and I have a few questions on the pre-compiled (.so) rules. I'm focused specifically on Snort 3 with the LightSPD ruleset format, but I think these questions are fairly generic. let me start with what i know about how this works (so anyone can correct any misconceptions i have): For a few supported platforms (centos-x64 debian-x64 fc-x64 opensuse-x64 ubuntu-x64 ) to use the precompiled rules: all you need to do is reference the folder containing all the .so rules for that platform with the *--plugin-path* option, and include the rules from the stubs folder. for example: /usr/local/bin/snort --plugin-path lightspd/modules/ 3.1.15.0/ubuntu-x64/so_rules/ --rule-path lightspd/modules/stubs/ -c /usr/local/etc/snort/snort.lua (the above command works great for me with Snort 3.1.17.0 on Ubuntu x64) I understand that the *--dump-dynamic-rules* option can be used to generate the stub files from the .so rules, but it seems like that's not necessary for the distros listed above since for the distros, these stubs are included. This would only be needed if you were to compile the .so rules from the .cc files located in the lightspd/modules/src folder (let me know if this assumption is incorrect). What is the process for compiling the .cc files in the lightspd/modules/src folder into .so rules? I tried running the makefile included in the src directory, but it looks like it needs some of the files from the snort3 repo: fatal error: main/snort_types.h: No such file or directory Additionally: assuming I can compile these rules myself into .so files, are the rules included different from the pre-compiled rules (meaning I would need to use the --dump-dynamic-rules option with snort to generate the stub files, rather than using the included stub files)? Thank you Noah
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Question on compiled (.so) rules with Snort3 from the LightSPD ruleset Noah Dietrich (Dec 11)
- Re: Question on compiled (.so) rules with Snort3 from the LightSPD ruleset Noah Dietrich (Dec 22)