Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [snort-user] Confused about so_rules

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 4 Sep 2013 08:08:08 -0400
Using Pulledpork to update your rules takes care of this entire process for you.  

--
Joel Esler


On Sep 4, 2013, at 5:25 AM, Mayur Patil <ram.nath241089 () gmail com> wrote:

Hi,

   If rule files are already present in directory /etc/snort/so_rules
 
   why we need to create them again?

 from manual, 

   3. Dump the stub rules by issuing the command:

   snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules

   4. Use a variable to define the path to the stub rules, for example:

       var $SO_RULE_PATH /etc/snort/so_rules

My questions are:

1.   What is meant by "dump the stub rules"?

  I have try to compile from source in  /so_rules/src directory by giving make 

  command but it is giving error

  so

2. how to compile rules direct so_rules C files? and is it necessary that we need to create text rules for so_rules 
though we have c language rules??

I have referred these links

http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html

http://searchitchannel.techtarget.com/tip/How-to-use-shared-object-rules-in-Snort

but 

3. not getting how to compile my own so_rules in C language and use it ?

I am getting error 
snort[3936]: Encoded Rule Plugin SID: 17132, GID: 3 not registered properly. Disabling this rule.

where I have include rule in snort file.

I have referred these links:

http://seclists.org/snort/2012/q2/616

http://forum.pfsense.org/index.php?topic=30289.0

http://comments.gmane.org/gmane.comp.security.ids.snort.general/34197

Its very confusing,

Please guide me,

Thanks !

--
Cheers,
Mayur

------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: