Snort mailing list archives
Re: What is SO rule actually?
From: "Joel Esler \(jesler\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 4 Mar 2019 00:30:21 +0000
However, those SO rules are for Snort 2. We have no released Snort 3 equivalent SO rules yet, as those will be written in a different language. Sent from my iPad
On Mar 3, 2019, at 7:29 PM, Joel Esler (jesler) <jesler () cisco com> wrote: Download the Registered or Subscriber rule pack and look in the SO directory Sent from my iPadOn Mar 3, 2019, at 7:19 PM, Damian Chiliński <lapsio3 () gmail com> wrote: Thank you. Is there some example stub rules file I could take a look at?On Mon, Mar 4, 2019 at 12:59 AM Joel Esler (jesler) <jesler () cisco com> wrote: Check this out: https://www.snort.org/faq/shared-object-rules Sent from my iPadOn Mar 3, 2019, at 6:58 PM, Damian Chiliński via Snort-devel <snort-devel () lists snort org> wrote: Hello. As part of academic research I'd like to write simple Snort plugin/module that would try to detect DNS tunneling (DNS exfiltration precisely) basing on few heuristics. I've read through Snort 3 Manual and took a look at examples in snort3/snort3_extra repository. After initial research I guess I have some basic concept of available plugins types and their purpose. However there's one thing that is still unclear to me: What actually is SO rule? SO rules explanations in manual are a bit... vogue at least. Also "example" in snort3/snort3_extra repo is so simple that it doesn't show anything. How do SO rules work? How does user activate such rule, are they activated somehow in .rules files or directly in .lua config files? How user interacts with such rule (passes some config) and which packets are passed to them? My knowledge regarding SO rules is definitely insufficient and I'm not sure where to look for additional information about them or more examples. Best regards Damian Chilinski _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- What is SO rule actually? Damian Chiliński via Snort-devel (Mar 03)
- Message not available
- Message not available
- Re: What is SO rule actually? Joel Esler (jesler) via Snort-devel (Mar 03)
- Re: What is SO rule actually? Joel Esler (jesler) via Snort-devel (Mar 03)
- Message not available
- Message not available
- Re: What is SO rule actually? Russ via Snort-devel (Mar 26)