Re: Which so_rules to use

["Joel Esler (jesler)" <jesler () cisco com>]

Precompiled contains everything.   The ones you compile yourself exclude the rules you can't compile yourself.   The 
advantage is, you can read the source code for those.   



--
Sent from my iPhone

> On May 28, 2017, at 13:33, Charlie Dyer <charlierwdyer () gmail com> wrote:
>
> Could someone from Cisco or Snort team provide a definitive answer, or link
> to documentation that explains the difference between precomputed and built
> from source so_rules, the scenarios where you would use one over the other
> and whether you would ever want to use both, and how to do that.
>
> Many thanks, appreciate your responses.
>
> Chaz
>
> > On Sunday, May 28, 2017, James Lay <jlay () slave-tothe-box net> wrote:
> >
> > Probably.  Truth be told I've never got with the source...just rolled with
> > the precompiled and never had a second thought about it ☺
> >
> > On Sun, 2017-05-28 at 17:05 +0100, Charlie Dyer wrote:
> >
> > But then don't you miss out on the detections that only Cisco has, 0days
> > and NDA detections for example, that won't have source like Joel mentioned
> > in the initial reply?
> >
> >
> >
> > On Sunday, May 28, 2017, James Lay <jlay () slave-tothe-box net
> > <javascript:_e(%7B%7D,'cvml','jlay () slave-tothe-box net');>> wrote:
> >
> > If it was me I would go from source if possible, so I can tweak it to
> > my exact system.
> > James
> > > On Sun, 2017-05-28 at 10:16 +0100, Charlie Dyer wrote:
> > > Is anyone able to answer the query below?
> > >
> > > Essentially,  if you have two .so files with the same name, one
> > > compiled
> > > from src and one precompiled, which should you use?
> > >
> > > Many thanks
> > >
> > > On Wednesday, May 24, 2017, Charlie Dyer <charlierwdyer () gmail com>
> > > wrote:
> > >
> > > > Yes I've compiled the src, my question is if you have two .so files
> > > > with
> > > > the same name, one compiled from src and one precompiled, which
> > > > should you
> > > > use?
> > > > As you say the precompiled one will have stuff in that the src
> > > > doesn't,
> > > > but will the src .so files have stuff in the precompiled ones
> > > > don't?
> > > >
> > > >
> > > > On Wed, May 24, 2017 at 8:55 PM, Joel Esler (jesler)
> > > > com
> > > > 'jesler () cisco com');>> wrote:
> > > >
> > > > > If we provide the src, you can compile them on your own.  The
> > > > > pre-compiled ones are without src, and contain a ton of detection
> > > > > not
> > > > > available anywhere else (zero-days that only we have protection
> > > > > for, etc).
> > > > >
> > > > >
> > > > >
> > > > > *--*
> > > > > *Joel Esler *| *Talos:* Manager | jesler () cisco com
> > > > > 'jesler () cisco com');>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On May 24, 2017, at 3:06 PM, Charlie Dyer
> > > > > m
> > > > > 'charlierwdyer () gmail com');>> wrote:
> > > > >
> > > > > Thanks for your reply, I'll take a look at pulledpork.
> > > > > Can you tell me if the .so files are actually the same and the
> > > > > size
> > > > > difference is just down to compilation differences? Or do the
> > > > > precompiled
> > > > > and src .so files essentially contain different 'stuff'?
> > > > >
> > > > >
> > > > > On Wed, May 24, 2017 at 5:29 PM, Joel Esler (jesler)
> > > > > o.com
> > > > > 'jesler () cisco com');>> wrote:
> > > > >
> > > > > > You should use pulledpork to manage your ruleset, it will take
> > > > > > care of
> > > > > > which version you need, according to the operating system you
> > > > > > are using or
> > > > > > the one you specify.
> > > > > >
> > > > > > *--*
> > > > > > *Joel Esler *| *Talos:* Manager | jesler () cisco com
> > > > > > 'jesler () cisco com');>
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On May 24, 2017, at 9:14 AM, Charlie Dyer
> > > > > > com
> > > > > > 'charlierwdyer () gmail com');>>
> > > > > > wrote:
> > > > > >
> > > > > > Hello
> > > > > >
> > > > > > I've compiled the so_rules from the src folder but see there
> > > > > > are
> > > > > > precompiled so_rules with the same name, but some of them have
> > > > > > vastly
> > > > > > different file sizes.  There are also precompiled .so files
> > > > > > which aren't
> > > > > > in
> > > > > > the src folder once compiled and vice versa.
> > > > > >
> > > > > > Does anyone know which .so files to use?  For example there is
> > > > > > a
> > > > > > file-flash.so in the precompiled folder and the src folder,
> > > > > > which should
> > > > > > I
> > > > > > use?
> > > > > >
> > > > > > Many thanks
> > > > > > ------------------------------------------------------------
> > > > > > ------------------
> > > > > > Check out the vibrant tech community on one of the world's most
> > > > > > engaging tech sites, Slashdot.org <http://slashdot.org/>!
> > > > > > http://sdm.link/slashdot
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users () lists sourceforge net
> > > > > > 'Snort-users () lists sourceforge net
> > > > > > ');>
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-u
> > > > > > sers
> > > > > >
> > > > > > Please visit http://blog.snort.org to stay current on all the
> > > > > > latest
> > > > > > Snort news!
> > > -------------------------------------------------------------------
> > > -----------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!