Re: About Shared Object Snort Rules

[Patrick Mullen <pmullen () sourcefire com>]

Mayur,

Thanks for your query.  Shared Object rules are quite powerful and a
distinguishing feature of snort.  With them, you can do *anything* you can
do in C, so advanced detections are possible.  Of course, coding in
vulnerabilities is also possible, so you need to be careful about what
you're doing.

I wrote up a quick tutorial a few years ago and blogged about it here --
http://vrt-blog.snort.org/2010/02/introduction-to-shared-object-rules.html

As described in that blog post, there is an SO Rules Generator that takes
care of a lot of the grunt work for you.  The generator has also been
improved since the time of that blog post to make your life even easier.
 So write a base snort rule to get yourself started, plug it into the
generator, then add your custom detection into the eval function.

That said, I spend a lot of time here helping people be creative about text
rules to avoid writing shared object rules.  When you see something as
powerful as a shared object rule, it's hard to not see it as the solution
to everything (because technically it really can solve everything).  But
oftentimes, you can be creative with text rules and make detection that is
"good enough" to detect malicious traffic and avoid benign traffic and
while it might not be an exact match of what you're looking for, it's
satisfactory for finding traffic that at least requires much closer
inspection to determine malicious intent.  So, I spend a lot of time
telling people they can't write a shared object rule and incur processing
overhead in snort and a lot of code review and QA time and instead convince
them to write text rules.


Good luck,

~Patrick


On Thu, Jul 25, 2013 at 7:03 AM, Mayur Patil <ram.nath241089 () gmail com>wrote:

> Hello ,
>
>    I have searched on internet but I am unable to find any tutorial
>
>    regarding shared objects rules in C language. I am able to understand
>
>    how snort rules work. Now I want to write the rules for shared object.
>
>    seeking for guidance,
>
>    Thanks !!
>
> --
> *Cheers,
> Mayur*.
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!