[Snort-devel] What is SO rule actually?
rucombs at cisco.com
Wed Apr 3 09:23:47 EDT 2019
Checkout the updated example in the snort3_demo repo on github now:
tests/ips_actions/so_and_soid/. That has a contrived but more complete
implementation based on content matching and use of the Cursor and
FlowData. The test.bats shows all the steps you need to implement your
own: generate the include, compile, link the so, dump the stub, and
then run using stub and so. Hope that helps.
On 3/26/19 8:17 AM, Russ wrote:
> Hey Damian,
> Sorry for the late reply. SO ("shared object") rules are similar to
> Talos text rules but they contain custom detection logic implemented
> in C++. They are loaded when Snort starts from dynamic libraries,
> which typically have a .so extension on Linux. There are several steps
> to get an SO rule working properly and an example is required to make
> it clear. Unfortunately we don't have an example in snort3_demo, but
> we will push one out by end of week. That will contain everything you
> need to get rolling.
> On 3/3/19 6:57 PM, Damian Chiliński via Snort-devel wrote:
>> As part of academic research I'd like to write simple Snort
>> plugin/module that would try to detect DNS tunneling (DNS
>> exfiltration precisely) basing on few heuristics. I've read through
>> Snort 3 Manual and took a look at examples in snort3/snort3_extra
>> repository. After initial research I guess I have some basic concept
>> of available plugins types and their purpose.
>> However there's one thing that is still unclear to me: What actually
>> is SO rule? SO rules explanations in manual are a bit... vogue at
>> least. Also "example" in snort3/snort3_extra repo is so simple that
>> it doesn't show anything. How do SO rules work? How does user
>> activate such rule, are they activated somehow in .rules files or
>> directly in .lua config files? How user interacts with such rule
>> (passes some config) and which packets are passed to them? My
>> knowledge regarding SO rules is definitely insufficient and I'm not
>> sure where to look for additional information about them or more
>> Best regards
>> Damian Chilinski
>> Snort-devel mailing list
>> Snort-devel at lists.snort.org
>> Please visithttp://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel