Re: Difference between Dynamic library rules vs regular rules in snort.conf?

["Crook, Parker" <Parker_Crook () reyrey com>]

Seconded... I got the same understanding from the class... the rulesets are not functionally equivalent, and as such 
both rulesets should be run if you want to have the maximum coverage possible in those domains.



-Parker



  _____

From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com]
Sent: Thursday, July 22, 2010 12:11 PM
To: Chan, Wilson; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Difference between Dynamic library rules vs regular rules in snort.conf?



I was told, in a SourceFire training course (Snort Rule Writing Best Practices, which I highly recommend!) by the 
instructor that all the stuff in the so_rules was also in the text rules and that you didn't need to run the so_rules.  
My understanding (from asking on this list), and I brought it up in the class, is that you DO have to run both rulesets 
to have complete protection, since some vulnerabilities/rules are not made public by VRT/SourceFire due to agreements 
with vendors, and those rules are ONLY in the so_rules.



So, IMO, it's important to run both rulesets.  Although, I understand the reasoning behind the so_rule format, it's 
annoying that you can't see into the rule.  I find myself doing that a lot when I see an alert to try to understand why 
it fired... The [rule] link in BASE is great for this, but for so_rules it doesn't tell you much.



  _____

From: Chan, Wilson [mailto:wchan () honolulu gov]
Sent: Wednesday, July 21, 2010 5:08 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Difference between Dynamic library rules vs regular rules in snort.conf?



What's the difference from the regular rules vs the so_rules? Can you enable both? Thanks!



include RULE_PATH/bad-traffic.rules

include RULE_PATH/chat.rules

include RULE_PATH/dos.rules

include RULE_PATH/exploit.rules

include RULE_PATH/imap.rules

include RULE_PATH/misc.rules

include RULE_PATH/multimedia.rules

include RULE_PATH/netbios.rules

include RULE_PATH/nntp.rules

include RULE_PATH/p2p.rules

include RULE_PATH/smtp.rules

include RULE_PATH/sql.rules

include RULE_PATH/web-activex.rules

include RULE_PATH/web-client.rules

include RULE_PATH/web-misc.rules



# dynamic library rules

# include $SO_RULE_PATH/bad-traffic.rules

# include $SO_RULE_PATH/chat.rules

# include $SO_RULE_PATH/dos.rules

# include $SO_RULE_PATH/exploit.rules

# include $SO_RULE_PATH/imap.rules

# include $SO_RULE_PATH/misc.rules

# include $SO_RULE_PATH/multimedia.rules

# include $SO_RULE_PATH/netbios.rules

# include $SO_RULE_PATH/nntp.rules

# include $SO_RULE_PATH/p2p.rules

# include $SO_RULE_PATH/smtp.rules

# include $SO_RULE_PATH/sql.rules

# include $SO_RULE_PATH/web-activex.rules

# include $SO_RULE_PATH/web-client.rules

# include $SO_RULE_PATH/web-misc.rules



Wilson Chan



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users