Re: Difference between Dynamic library rules vs regular rules in snort.conf?

[Joel Esler <jesler () sourcefire com>]

you DO have to run them both.  That's correct.


On Jul 22, 2010, at 12:10 PM, Jefferson, Shawn wrote:

> I was told, in a SourceFire training course (Snort Rule Writing Best Practices, which I highly recommend!) by the 
> instructor that all the stuff in the so_rules was also in the text rules and that you didn’t need to run the 
> so_rules.  My understanding (from asking on this list), and I brought it up in the class, is that you DO have to run 
> both rulesets to have complete protection, since some vulnerabilities/rules are not made public by VRT/SourceFire due 
> to agreements with vendors, and those rules are ONLY in the so_rules.  
>  
> So, IMO, it’s important to run both rulesets.  Although, I understand the reasoning behind the so_rule format, it’s 
> annoying that you can’t see into the rule.  I find myself doing that a lot when I see an alert to try to understand 
> why it fired… The [rule] link in BASE is great for this, but for so_rules it doesn’t tell you much.
>  
> From: Chan, Wilson [mailto:wchan () honolulu gov] 
> Sent: Wednesday, July 21, 2010 5:08 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Difference between Dynamic library rules vs regular rules in snort.conf?
>  
> What’s the difference from the regular rules vs the so_rules? Can you enable both? Thanks!
>  
> include RULE_PATH/bad-traffic.rules
> include RULE_PATH/chat.rules
> include RULE_PATH/dos.rules
> include RULE_PATH/exploit.rules
> include RULE_PATH/imap.rules
> include RULE_PATH/misc.rules
> include RULE_PATH/multimedia.rules
> include RULE_PATH/netbios.rules
> include RULE_PATH/nntp.rules
> include RULE_PATH/p2p.rules
> include RULE_PATH/smtp.rules
> include RULE_PATH/sql.rules
> include RULE_PATH/web-activex.rules
> include RULE_PATH/web-client.rules
> include RULE_PATH/web-misc.rules
>  
> # dynamic library rules
> # include $SO_RULE_PATH/bad-traffic.rules
> # include $SO_RULE_PATH/chat.rules
> # include $SO_RULE_PATH/dos.rules
> # include $SO_RULE_PATH/exploit.rules
> # include $SO_RULE_PATH/imap.rules
> # include $SO_RULE_PATH/misc.rules
> # include $SO_RULE_PATH/multimedia.rules
> # include $SO_RULE_PATH/netbios.rules
> # include $SO_RULE_PATH/nntp.rules
> # include $SO_RULE_PATH/p2p.rules
> # include $SO_RULE_PATH/smtp.rules
> # include $SO_RULE_PATH/sql.rules
> # include $SO_RULE_PATH/web-activex.rules
> # include $SO_RULE_PATH/web-client.rules
> # include $SO_RULE_PATH/web-misc.rules
>  
> Wilson Chan
>  
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users