Re: Difference between Dynamic library rules vs regular rules in snort.conf?

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

I was told, in a SourceFire training course (Snort Rule Writing Best Practices, which I highly recommend!) by the 
instructor that all the stuff in the so_rules was also in the text rules and that you didn't need to run the so_rules.  
My understanding (from asking on this list), and I brought it up in the class, is that you DO have to run both rulesets 
to have complete protection, since some vulnerabilities/rules are not made public by VRT/SourceFire due to agreements 
with vendors, and those rules are ONLY in the so_rules.

So, IMO, it's important to run both rulesets.  Although, I understand the reasoning behind the so_rule format, it's 
annoying that you can't see into the rule.  I find myself doing that a lot when I see an alert to try to understand why 
it fired... The [rule] link in BASE is great for this, but for so_rules it doesn't tell you much.

________________________________
From: Chan, Wilson [mailto:wchan () honolulu gov]
Sent: Wednesday, July 21, 2010 5:08 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Difference between Dynamic library rules vs regular rules in snort.conf?

What's the difference from the regular rules vs the so_rules? Can you enable both? Thanks!

include RULE_PATH/bad-traffic.rules
include RULE_PATH/chat.rules
include RULE_PATH/dos.rules
include RULE_PATH/exploit.rules
include RULE_PATH/imap.rules
include RULE_PATH/misc.rules
include RULE_PATH/multimedia.rules
include RULE_PATH/netbios.rules
include RULE_PATH/nntp.rules
include RULE_PATH/p2p.rules
include RULE_PATH/smtp.rules
include RULE_PATH/sql.rules
include RULE_PATH/web-activex.rules
include RULE_PATH/web-client.rules
include RULE_PATH/web-misc.rules

# dynamic library rules
# include $SO_RULE_PATH/bad-traffic.rules
# include $SO_RULE_PATH/chat.rules
# include $SO_RULE_PATH/dos.rules
# include $SO_RULE_PATH/exploit.rules
# include $SO_RULE_PATH/imap.rules
# include $SO_RULE_PATH/misc.rules
# include $SO_RULE_PATH/multimedia.rules
# include $SO_RULE_PATH/netbios.rules
# include $SO_RULE_PATH/nntp.rules
# include $SO_RULE_PATH/p2p.rules
# include $SO_RULE_PATH/smtp.rules
# include $SO_RULE_PATH/sql.rules
# include $SO_RULE_PATH/web-activex.rules
# include $SO_RULE_PATH/web-client.rules
# include $SO_RULE_PATH/web-misc.rules

Wilson Chan

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users