Snort mailing list archives

Re: Difference between Dynamic library rules vs regular rules in snort.conf?

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 22 Jul 2010 13:26:44 -0400

No, there shouldn't be.


On Jul 22, 2010, at 1:18 PM, Jason Wallace wrote:

While both gid:1 and gid:3 rules are needed, there is some overlap
with gid:1,gid:3, and preprocessor rules though, right? It would be
nice to have those overlaps identified somewhere.

Wally

On Thu, Jul 22, 2010 at 12:28 PM, Joel Esler <jesler () sourcefire com> wrote:

you DO have to run them both.  That's correct.

On Jul 22, 2010, at 12:10 PM, Jefferson, Shawn wrote:

I was told, in a SourceFire training course (Snort Rule Writing Best
Practices, which I highly recommend!) by the instructor that all the stuff
in the so_rules was also in the text rules and that you didn’t need to run
the so_rules.  My understanding (from asking on this list), and I brought it
up in the class, is that you DO have to run both rulesets to have complete
protection, since some vulnerabilities/rules are not made public by
VRT/SourceFire due to agreements with vendors, and those rules are ONLY in
the so_rules.



So, IMO, it’s important to run both rulesets.  Although, I understand the
reasoning behind the so_rule format, it’s annoying that you can’t see into
the rule.  I find myself doing that a lot when I see an alert to try to
understand why it fired… The [rule] link in BASE is great for this, but for
so_rules it doesn’t tell you much.



________________________________
From: Chan, Wilson [mailto:wchan () honolulu gov]
Sent: Wednesday, July 21, 2010 5:08 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Difference between Dynamic library rules vs regular
rules in snort.conf?



What’s the difference from the regular rules vs the so_rules? Can you enable
both? Thanks!



include RULE_PATH/bad-traffic.rules
include RULE_PATH/chat.rules
include RULE_PATH/dos.rules
include RULE_PATH/exploit.rules
include RULE_PATH/imap.rules
include RULE_PATH/misc.rules
include RULE_PATH/multimedia.rules
include RULE_PATH/netbios.rules
include RULE_PATH/nntp.rules
include RULE_PATH/p2p.rules
include RULE_PATH/smtp.rules
include RULE_PATH/sql.rules
include RULE_PATH/web-activex.rules
include RULE_PATH/web-client.rules
include RULE_PATH/web-misc.rules



# dynamic library rules
# include $SO_RULE_PATH/bad-traffic.rules
# include $SO_RULE_PATH/chat.rules
# include $SO_RULE_PATH/dos.rules
# include $SO_RULE_PATH/exploit.rules
# include $SO_RULE_PATH/imap.rules
# include $SO_RULE_PATH/misc.rules
# include $SO_RULE_PATH/multimedia.rules
# include $SO_RULE_PATH/netbios.rules
# include $SO_RULE_PATH/nntp.rules
# include $SO_RULE_PATH/p2p.rules
# include $SO_RULE_PATH/smtp.rules
# include $SO_RULE_PATH/sql.rules
# include $SO_RULE_PATH/web-activex.rules
# include $SO_RULE_PATH/web-client.rules
# include $SO_RULE_PATH/web-misc.rules



Wilson Chan



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Difference between Dynamic library rules vs regular rules in snort.conf? Chan, Wilson (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jefferson, Shawn (Jul 22)
  - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Crook, Parker (Jul 22)
  - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
    - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
    - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
    - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Alan Ptak (Jul 22)
    - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
    - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
    - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
    - Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)