Snort mailing list archives
What is SO rule actually?
From: Damian Chiliński via Snort-devel <snort-devel () lists snort org>
Date: Mon, 4 Mar 2019 00:57:00 +0100
Hello. As part of academic research I'd like to write simple Snort plugin/module that would try to detect DNS tunneling (DNS exfiltration precisely) basing on few heuristics. I've read through Snort 3 Manual and took a look at examples in snort3/snort3_extra repository. After initial research I guess I have some basic concept of available plugins types and their purpose. However there's one thing that is still unclear to me: What actually is SO rule? SO rules explanations in manual are a bit... vogue at least. Also "example" in snort3/snort3_extra repo is so simple that it doesn't show anything. How do SO rules work? How does user activate such rule, are they activated somehow in .rules files or directly in .lua config files? How user interacts with such rule (passes some config) and which packets are passed to them? My knowledge regarding SO rules is definitely insufficient and I'm not sure where to look for additional information about them or more examples. Best regards Damian Chilinski
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- What is SO rule actually? Damian Chiliński via Snort-devel (Mar 03)
- Message not available
- Message not available
- Re: What is SO rule actually? Joel Esler (jesler) via Snort-devel (Mar 03)
- Re: What is SO rule actually? Joel Esler (jesler) via Snort-devel (Mar 03)
- Message not available
- Message not available
- Re: What is SO rule actually? Russ via Snort-devel (Mar 26)