Snort mailing list archives
Re: Difference between Dynamic library rules vs regular rules in snort.conf?
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 22 Jul 2010 15:39:11 -0400
Couldn't ask for a better answer! The reason I asked though was because I stumbled on to these the other day while doing some older rule clean up, and this conversation made me think of this... 1:532 1:533 1:536 When compared compared to... 133:2 (with say... "smb_invalid_shares ["C$" "D$" "ADMIN$"]) I'm not a DCE/RPC expert, by any stretch of the imagination, but those looked similar to me. Is there specific difference between the 133 alert and the older rules in this case? Wally On Thu, Jul 22, 2010 at 2:55 PM, Alan Ptak <alan.ptak () gmail com> wrote:
Jason, To the best of my knowledge there is no deliberate overlap between Snort text rules, SO rules, and preprocessor rules. Some rules might appear to be similar but in general will differ in effectiveness, efficiency, etc. In general, each rule addresses a specific detection problem, regardless of type. The type of rule used depends on the nature of the detection problem, and the assessment of the analyst on what method would be most effective or appropriate. To the OP's question, run both text and SO rules for complete coverage. HTH .. Alan On Thu, Jul 22, 2010 at 10:18 AM, Jason Wallace <jason.r.wallace () gmail com> wrote:While both gid:1 and gid:3 rules are needed, there is some overlap with gid:1,gid:3, and preprocessor rules though, right? It would be nice to have those overlaps identified somewhere. Wally On Thu, Jul 22, 2010 at 12:28 PM, Joel Esler <jesler () sourcefire com> wrote:you DO have to run them both. That's correct. On Jul 22, 2010, at 12:10 PM, Jefferson, Shawn wrote: I was told, in a SourceFire training course (Snort Rule Writing Best Practices, which I highly recommend!) by the instructor that all the stuff in the so_rules was also in the text rules and that you didn’t need to run the so_rules. My understanding (from asking on this list), and I brought it up in the class, is that you DO have to run both rulesets to have complete protection, since some vulnerabilities/rules are not made public by VRT/SourceFire due to agreements with vendors, and those rules are ONLY in the so_rules. So, IMO, it’s important to run both rulesets. Although, I understand the reasoning behind the so_rule format, it’s annoying that you can’t see into the rule. I find myself doing that a lot when I see an alert to try to understand why it fired… The [rule] link in BASE is great for this, but for so_rules it doesn’t tell you much. ________________________________ From: Chan, Wilson [mailto:wchan () honolulu gov] Sent: Wednesday, July 21, 2010 5:08 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Difference between Dynamic library rules vs regular rules in snort.conf? What’s the difference from the regular rules vs the so_rules? Can you enable both? Thanks! include RULE_PATH/bad-traffic.rules include RULE_PATH/chat.rules include RULE_PATH/dos.rules include RULE_PATH/exploit.rules include RULE_PATH/imap.rules include RULE_PATH/misc.rules include RULE_PATH/multimedia.rules include RULE_PATH/netbios.rules include RULE_PATH/nntp.rules include RULE_PATH/p2p.rules include RULE_PATH/smtp.rules include RULE_PATH/sql.rules include RULE_PATH/web-activex.rules include RULE_PATH/web-client.rules include RULE_PATH/web-misc.rules # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-misc.rules Wilson Chan ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Alan Ptak alan.ptak () gmail com
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Difference between Dynamic library rules vs regular rules in snort.conf? Chan, Wilson (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jefferson, Shawn (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Crook, Parker (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Alan Ptak (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)