Re: Question on compiled (.so) rules with Snort3 from the LightSPD ruleset

[Noah Dietrich <noah_dietrich () 86penny org>]

Following up on this question to see if anyone has an answer.
thanks
Noah


On Sat, Dec 11, 2021 at 11:30 AM Noah Dietrich <noah_dietrich () 86penny org>
wrote:

> adding the snort-devel list as well, as i have some compilation questions
> on the lightspd ruleset.
>
> I managed to get rules compiled
> note: i had to install the snort_extras package before rules would compile.
>
> After downloading the latest LightSPD package (version 2021-12-08-001),
> the registered (not paid) version:  I extract the TGZ and navigate
> into lightspd/modules/src.
> I fixed a few things:
> 1. chmod a+x generate_category.sh
> 2. modify the makefile so that the prefix is /usr/local
>     (line 1) PREFIX ?= /usr/local
>
> i run make, and the .so and .rules files are created with no errors. I
> copy the rules and so files to their respective locations and run snort
> (with the default snort.lua):
> snort -c /usr/local/etc/snort/snort.lua --rule-path /usr/local/etc/rules
> --plugin-path /usr/local/etc/so_rules/
>
> This works, and I load 96 rules.
>
> However, when I use the pre-compiled rules, I get closer to 3000 rules
> loaded.
>
> Am I doing something wrong, or do the .cc rules not provide as many rules
> as the pre-compiled rules for each distro?
>
> thanks
> Noah
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Dec 9, 2021 at 9:02 PM Noah Dietrich <noah_dietrich () 86penny org>
> wrote:
>
> > I'm working on adding functionality to PulledPork3, and I have a few
> > questions on the pre-compiled (.so) rules.
> >
> > I'm focused specifically on Snort 3 with the LightSPD ruleset format, but
> > I think these questions are fairly generic.
> >
> > let me start with what i know about how this works (so anyone can correct
> > any misconceptions i have):
> >
> > For a few supported platforms (centos-x64  debian-x64  fc-x64
> >  opensuse-x64  ubuntu-x64 ) to use the precompiled rules: all you need to
> > do is reference the folder containing all the .so rules for that platform
> > with the *--plugin-path* option, and include the rules from the stubs
> > folder.  for example:
> >
> > /usr/local/bin/snort --plugin-path lightspd/modules/
> > 3.1.15.0/ubuntu-x64/so_rules/ --rule-path lightspd/modules/stubs/ -c
> > /usr/local/etc/snort/snort.lua
> >
> > (the above command works great for me with Snort 3.1.17.0 on Ubuntu x64)
> >
> > I understand that the *--dump-dynamic-rules* option can be used to
> > generate the stub files from the .so rules, but it seems like that's not
> > necessary for the distros listed above since for the distros, these stubs
> > are included. This would only be needed if you were to compile the .so
> > rules from the .cc files located in the lightspd/modules/src folder (let me
> > know if this assumption is incorrect).
> >
> > What is the process for compiling the .cc files in the
> > lightspd/modules/src folder into .so rules?  I tried running the makefile
> > included in the src directory, but it looks like it needs some of the files
> > from the snort3 repo:
> >
> > fatal error: main/snort_types.h: No such file or directory
> >
> >
> > Additionally: assuming I can compile these rules myself into .so files,
> > are the rules included different from the pre-compiled rules (meaning I
> > would need to use the --dump-dynamic-rules option with snort to generate
> > the stub files, rather than using the included stub files)?
> >
> > Thank you
> > Noah
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!