Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Clarification on so_rules READ THIS

From: "Safwat Fahmy" <safwat.fahmy () safemedia com>
Date: Fri, 9 Aug 2013 12:57:59 -0400
Important

Safwat Fahmy

www.safemedia.com






-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net] 
Sent: Friday, August 09, 2013 12:12 PM
To: Snort-users
Subject: Re: [Snort-users] Clarification on so_rules

On 2013-08-09 10:10, Joel Esler wrote:

Pulledpork should take are of everything for you. You don't have to do 
anything except turn them on via the snort.conf

And yes, you leave them there.

--
Joel Esler


On Aug 9, 2013, at 12:07 PM, James Lay <jlay () slave-tothe-box net>
wrote:

All,

I'm wanting to make sure I have this correct, so here goes.  
According
to so_rules/src/README:

To use the shared object rules, the rule stub files must be 
generated.
To do this, follow these instructions:

 1. Make sure the dynamic preprocessor and dynamic engine paths are
    defined in snort.conf, for example:

 dynamicpreprocessor directory
/usr/local/lib/snort_dynamicpreprocessor
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

 2. Make sure the path to the location of the shared object rules is
    also defined in snort.conf, for example:

 dynamicdetection directory /usr/local/lib/snort_dynamicrule

 3. Dump the stub rules by issuing the command:

 snort -c /usr/local/etc/snort/snort.conf 
--dump-dynamic-rules=/usr/local/etc/snort/so_rules

 4. Use a variable to define the path to the stub rules, for
example:

 var SO_RULE_PATH /usr/local/etc/snort/so_rules

 5. Include the generated stub rule files in snort.conf in the same 
way
    the regular rules are included, for example:

 include $SO_RULE_PATH/netbios.rules


I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules
is
created...so far so good.  My question is, what happens with the 
actual .so files?  Do I delete them..move them...something else?  
Thanks for any insight.

James


Awesome..thanks for the quick response Joel.

James

----------------------------------------------------------------------------
--
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: