Snort mailing list archives
Re: About Shared Object Snort Rules
From: Patrick Mullen <pmullen () sourcefire com>
Date: Thu, 25 Jul 2013 12:48:37 -0400
Mayur, Thanks for your query. Shared Object rules are quite powerful and a distinguishing feature of snort. With them, you can do *anything* you can do in C, so advanced detections are possible. Of course, coding in vulnerabilities is also possible, so you need to be careful about what you're doing. I wrote up a quick tutorial a few years ago and blogged about it here -- http://vrt-blog.snort.org/2010/02/introduction-to-shared-object-rules.html As described in that blog post, there is an SO Rules Generator that takes care of a lot of the grunt work for you. The generator has also been improved since the time of that blog post to make your life even easier. So write a base snort rule to get yourself started, plug it into the generator, then add your custom detection into the eval function. That said, I spend a lot of time here helping people be creative about text rules to avoid writing shared object rules. When you see something as powerful as a shared object rule, it's hard to not see it as the solution to everything (because technically it really can solve everything). But oftentimes, you can be creative with text rules and make detection that is "good enough" to detect malicious traffic and avoid benign traffic and while it might not be an exact match of what you're looking for, it's satisfactory for finding traffic that at least requires much closer inspection to determine malicious intent. So, I spend a lot of time telling people they can't write a shared object rule and incur processing overhead in snort and a lot of code review and QA time and instead convince them to write text rules. Good luck, ~Patrick On Thu, Jul 25, 2013 at 7:03 AM, Mayur Patil <ram.nath241089 () gmail com>wrote:
Hello , I have searched on internet but I am unable to find any tutorial regarding shared objects rules in C language. I am able to understand how snort rules work. Now I want to write the rules for shared object. seeking for guidance, Thanks !! -- *Cheers, Mayur*. ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Patrick Mullen Response Research Manager Sourcefire VRT
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- About Shared Object Snort Rules Mayur Patil (Jul 25)
- Re: About Shared Object Snort Rules Patrick Mullen (Jul 25)
- Re: About Shared Object Snort Rules Mayur Patil (Jul 29)
- Re: About Shared Object Snort Rules Patrick Mullen (Jul 25)