[Snort-devel] What is SO rule actually?
rucombs at cisco.com
Tue Mar 26 08:17:50 EDT 2019
Sorry for the late reply. SO ("shared object") rules are similar to
Talos text rules but they contain custom detection logic implemented in
C++. They are loaded when Snort starts from dynamic libraries, which
typically have a .so extension on Linux. There are several steps to get
an SO rule working properly and an example is required to make it
clear. Unfortunately we don't have an example in snort3_demo, but we
will push one out by end of week. That will contain everything you need
to get rolling.
On 3/3/19 6:57 PM, Damian Chiliński via Snort-devel wrote:
> As part of academic research I'd like to write simple Snort
> plugin/module that would try to detect DNS tunneling (DNS exfiltration
> precisely) basing on few heuristics. I've read through Snort 3 Manual
> and took a look at examples in snort3/snort3_extra repository. After
> initial research I guess I have some basic concept of available
> plugins types and their purpose.
> However there's one thing that is still unclear to me: What actually
> is SO rule? SO rules explanations in manual are a bit... vogue at
> least. Also "example" in snort3/snort3_extra repo is so simple that it
> doesn't show anything. How do SO rules work? How does user activate
> such rule, are they activated somehow in .rules files or directly in
> .lua config files? How user interacts with such rule (passes some
> config) and which packets are passed to them? My knowledge regarding
> SO rules is definitely insufficient and I'm not sure where to look for
> additional information about them or more examples.
> Best regards
> Damian Chilinski
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> Please visithttp://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel