Snort mailing list archives
Shared Object Rules vs. the New Rules Language
From: Jennifer Steffens <jennifer.steffens () sourcefire com>
Date: Thu, 18 May 2006 15:57:42 -0400
Hey everyone, There seems to be a good deal of confusion over the recent release of Shared Object (SO) rules and the future of the rules language so I thought I would try to clear things up a bit. First off the new SO Rule option is not the new rules language. SO Rules are intended to provide researchers with the ability to write more complex rules for enhanced detection. In addition, we are working on a new rules language for the Snort 3.0 release that will be developed independently of the SO rule option. The timeframe for this release is currently unknown but I can assure the community that details will be forthcoming as we move forward. Now to answer a few of the questions we have received lately: 1. Just what is an SO rule? An SO rule is a loadable Snort module that can quickly extend the detection capabilities of Snort. We have added an API to the detection engine so that vulnerability researchers aren't restricted by the finite number of Snort keywords when writing rules. This also allows the rule writer to do some very complex things as they now have the full power of the C language at their disposal. 2. So do I have to learn C to write Snort rules now? No. SO rules are certainly an option but you are still free to use the standard Snort rules language. This release simply provides additional functionality, we have not removed any. We might force you to learn LISP in the future though. Just kidding :-) 3. Why not just use the SPP or detection C templates? SO rules provide a flexible way to add detection functionality. Writing preprocessors and detection keywords requires a considerable amount of research and time as they are multi-functional and are used to detect pieces of many of vulnerabilities. On the other hand, SO rules are focused on a specific vulnerability, making them less complex to write and use. 4. Is the SO API GPL? Yes the API has been released under the GPL. 5. So should I create an environment for my Snort sensors to compile SO rules? While not required we would certainly recommend it. As mentioned before, these provide users with the ability to write much more complex rules. I hope this helps to clear up some of the confusion. We will be adding the above information to the Snort FAQs. If you have any questions, just let us know. Cheers, Jennifer -- Jennifer S. Steffens Director, Product Management - Snort Sourcefire - Security for the Real World W: 410.423.1930 | C: 202.409.7707 www.sourcefire.com | www.snort.org ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Shared Object Rules vs. the New Rules Language Jennifer Steffens (May 18)