[Snort-devel] What is SO rule actually?

Damian Chiliński lapsio3 at gmail.com
Sun Mar 3 18:57:00 EST 2019


Hello.

As part of academic research I'd like to write simple Snort plugin/module
that would try to detect DNS tunneling (DNS exfiltration precisely) basing
on few heuristics. I've read through Snort 3 Manual and took a look at
examples in snort3/snort3_extra repository. After initial research I guess
I have some basic concept of available plugins types and their purpose.

However there's one thing that is still unclear to me: What actually is SO
rule? SO rules explanations in manual are a bit... vogue at least. Also
"example" in snort3/snort3_extra repo is so simple that it doesn't show
anything. How do SO rules work? How does user activate such rule, are they
activated somehow in .rules files or directly in .lua config files? How
user interacts with such rule (passes some config) and which packets are
passed to them? My knowledge regarding SO rules is definitely insufficient
and I'm not sure where to look for additional information about them or
more examples.

Best regards
Damian Chilinski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190304/028697c7/attachment.html>


More information about the Snort-devel mailing list