Re: Snort SO Compiler

[wkitty42 () windstream net]

On 11/17/2015 08:11 AM, Rob Weiss wrote:
> We are looking at how to compile the rules into SOs to distribute them to our
> snort instances. The docs are hard to follow and it seems like whatever process
> that is available is not working for us at the moment.
>
> Is there a concise guide? Does snort, itself, dump the rules into SOs? Or does
> it only dump the SOs that were initially loaded into snort?
>
> Hope this is not too confusing.

SO rules (GID 3) are binary... they are written in C code (i think) and then 
compiled for your OS... only the SO rules' stubs are "dumped" so they are 
available in the rules directory...

GID 1 rules are built into snort and its preprocessors...

GID 2 rules are the most common rules... they are text based in the normal 
*.rules files...


when you update your SO rules, you do need to run the dump process so that snort 
will recognize their changes... after that, they don't need to be "dumped" again 
until their next update... all this "dump" process does is to output textual 
stubs so that you can easily enable or disable them by commenting or not their 
stub...


i may be off on a little of the above and if so, i'm sure that someone else will 
jump in and clarify better ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!