[Snort-devel] What is SO rule actually?

Joel Esler (jesler) jesler at cisco.com
Sun Mar 3 19:30:21 EST 2019


However, those SO rules are for Snort 2.  We have no released Snort 3 equivalent SO rules yet, as those will be written in a different language.

Sent from my iPad

> On Mar 3, 2019, at 7:29 PM, Joel Esler (jesler) <jesler at cisco.com> wrote:
> 
> Download the Registered or Subscriber rule pack and look in the SO directory
> 
> Sent from my iPad
> 
>> On Mar 3, 2019, at 7:19 PM, Damian Chiliński <lapsio3 at gmail.com> wrote:
>> 
>> Thank you.
>> 
>> Is there some example stub rules file I could take a look at?
>> 
>>> On Mon, Mar 4, 2019 at 12:59 AM Joel Esler (jesler) <jesler at cisco.com> wrote:
>>> Check this out:
>>> 
>>> https://www.snort.org/faq/shared-object-rules
>>> 
>>> 
>>> 
>>> Sent from my iPad
>>> 
>>>> On Mar 3, 2019, at 6:58 PM, Damian Chiliński via Snort-devel <snort-devel at lists.snort.org> wrote:
>>>> 
>>>> Hello.
>>>> 
>>>> As part of academic research I'd like to write simple Snort plugin/module that would try to detect DNS tunneling (DNS exfiltration precisely) basing on few heuristics. I've read through Snort 3 Manual and took a look at examples in snort3/snort3_extra repository. After initial research I guess I have some basic concept of available plugins types and their purpose.
>>>> 
>>>> However there's one thing that is still unclear to me: What actually is SO rule? SO rules explanations in manual are a bit... vogue at least. Also "example" in snort3/snort3_extra repo is so simple that it doesn't show anything. How do SO rules work? How does user activate such rule, are they activated somehow in .rules files or directly in .lua config files? How user interacts with such rule (passes some config) and which packets are passed to them? My knowledge regarding SO rules is definitely insufficient and I'm not sure where to look for additional information about them or more examples.
>>>> 
>>>> Best regards
>>>> Damian Chilinski
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.snort.org
>>>> https://lists.snort.org/mailman/listinfo/snort-devel
>>>> 
>>>> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190304/b5438967/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1872 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190304/b5438967/attachment-0001.bin>


More information about the Snort-devel mailing list