[Snort-devel] What is SO rule actually?

Russ rucombs at cisco.com
Wed Apr 3 09:23:47 EDT 2019

Checkout the updated example in the snort3_demo repo on github now: 
tests/ips_actions/so_and_soid/.  That has a contrived but more complete 
implementation based on content matching and use of the Cursor and 
FlowData.  The test.bats shows all the steps you need to implement your 
own:  generate the include, compile, link the so, dump the stub, and 
then run using stub and so.  Hope that helps.


On 3/26/19 8:17 AM, Russ wrote:
> Hey Damian,
> Sorry for the late reply.  SO ("shared object") rules are similar to 
> Talos text rules but they contain custom detection logic implemented 
> in C++.  They are loaded when Snort starts from dynamic libraries, 
> which typically have a .so extension on Linux. There are several steps 
> to get an SO rule working properly and an example is required to make 
> it clear.  Unfortunately we don't have an example in snort3_demo, but 
> we will push one out by end of week.  That will contain everything you 
> need to get rolling.
> Thanks
> Russ
> On 3/3/19 6:57 PM, Damian Chiliński via Snort-devel wrote:
>> Hello.
>> As part of academic research I'd like to write simple Snort 
>> plugin/module that would try to detect DNS tunneling (DNS 
>> exfiltration precisely) basing on few heuristics. I've read through 
>> Snort 3 Manual and took a look at examples in snort3/snort3_extra 
>> repository. After initial research I guess I have some basic concept 
>> of available plugins types and their purpose.
>> However there's one thing that is still unclear to me: What actually 
>> is SO rule? SO rules explanations in manual are a bit... vogue at 
>> least. Also "example" in snort3/snort3_extra repo is so simple that 
>> it doesn't show anything. How do SO rules work? How does user 
>> activate such rule, are they activated somehow in .rules files or 
>> directly in .lua config files? How user interacts with such rule 
>> (passes some config) and which packets are passed to them? My 
>> knowledge regarding SO rules is definitely insufficient and I'm not 
>> sure where to look for additional information about them or more 
>> examples.
>> Best regards
>> Damian Chilinski
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> https://lists.snort.org/mailman/listinfo/snort-devel
>> Please visithttp://blog.snort.org  for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190403/449364ce/attachment.html>

More information about the Snort-devel mailing list