[Snort-devel] Compile so rules in C language

Patrick Mullen pmullen at ...402...
Thu Sep 12 09:22:24 EDT 2013


Hello again, Mayur!

Most of the answer to your question is in the blog post I pointed you
to in July, located here --

http://vrt-blog.snort.org/2010/02/introduction-to-shared-object-rules.html

Once you've written the C the way you want it, to get it into snort is
fairly straightforward, assuming you've gotten your other Shared
Object rules to work.

1) make sure you follow the proper naming scheme for the file.  I'll
say to just call it "misc_mayur.c" to make it easy but the full
description is in the blog post.

2) put the SO rule, misc_mayur.c, into the directory with your other
shared object rules

3) type `make` in the directory with the SO rule files

If things don't work from there, there are four things to check --

1) SNORT_VERSION in the Makefile in the SO rules directory needs to be
set for your version of snort

2) BASEDIR in the Makefile needs to point to your snort sources.  I
*think* that you need to have compiled snort in that directory.

3) "dynamicdetection directory" in your snort.conf needs to point to
the directory where you have the compiled shared object rules (the
same directory as the shared objects source by default)

4) SO_RULE_PATH in your snort.conf needs to point to the directory
with your shared object stub rules (the same directory as the shared
object source by default)


Good luck!

~Patrick

On Wed, Sep 11, 2013 at 5:33 AM, Mayur Patil <ram.nath241089 at ...2499...> wrote:
> Hi,
>
>    I have generated rules in C language of shared object.
>
>    Is there any tutorial or blog post on
>
>    how to compile C language source code to generate our own
>
>    "shared object rules".
>
>    I also followed this thread but not get sufficient insight/understanding
>
>    http://seclists.org/snort/2011/q3/623
>
>    Seeking for guidance,
>
>    Thanks !!
>
> --
> Cheers,
> Mayur.



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT




More information about the Snort-devel mailing list