Re: What is SO rule actually?

[Russ via Snort-devel <snort-devel () lists snort org>]

Checkout the updated example in the snort3_demo repo on github now: 
tests/ips_actions/so_and_soid/.  That has a contrived but more complete 
implementation based on content matching and use of the Cursor and 
FlowData.  The test.bats shows all the steps you need to implement your 
own:  generate the include, compile, link the so, dump the stub, and 
then run using stub and so.  Hope that helps.

Russ

On 3/26/19 8:17 AM, Russ wrote:
> Hey Damian,
>
> Sorry for the late reply.  SO ("shared object") rules are similar to 
> Talos text rules but they contain custom detection logic implemented 
> in C++.  They are loaded when Snort starts from dynamic libraries, 
> which typically have a .so extension on Linux. There are several steps 
> to get an SO rule working properly and an example is required to make 
> it clear.  Unfortunately we don't have an example in snort3_demo, but 
> we will push one out by end of week.  That will contain everything you 
> need to get rolling.
>
> Thanks
> Russ
>
> On 3/3/19 6:57 PM, Damian Chiliński via Snort-devel wrote:
> > Hello.
> >
> > As part of academic research I'd like to write simple Snort 
> > plugin/module that would try to detect DNS tunneling (DNS 
> > exfiltration precisely) basing on few heuristics. I've read through 
> > Snort 3 Manual and took a look at examples in snort3/snort3_extra 
> > repository. After initial research I guess I have some basic concept 
> > of available plugins types and their purpose.
> >
> > However there's one thing that is still unclear to me: What actually 
> > is SO rule? SO rules explanations in manual are a bit... vogue at 
> > least. Also "example" in snort3/snort3_extra repo is so simple that 
> > it doesn't show anything. How do SO rules work? How does user 
> > activate such rule, are they activated somehow in .rules files or 
> > directly in .lua config files? How user interacts with such rule 
> > (passes some config) and which packets are passed to them? My 
> > knowledge regarding SO rules is definitely insufficient and I'm not 
> > sure where to look for additional information about them or more 
> > examples.
> >
> > Best regards
> > Damian Chilinski
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel () lists snort org
> > https://lists.snort.org/mailman/listinfo/snort-devel
> >
> > Please visithttp://blog.snort.org  for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!