[Snort-devel] What is SO rule actually?

Russ rucombs at cisco.com
Tue Mar 26 08:17:50 EDT 2019

Hey Damian,

Sorry for the late reply.  SO ("shared object") rules are similar to 
Talos text rules but they contain custom detection logic implemented in 
C++.  They are loaded when Snort starts from dynamic libraries, which 
typically have a .so extension on Linux.  There are several steps to get 
an SO rule working properly and an example is required to make it 
clear.  Unfortunately we don't have an example in snort3_demo, but we 
will push one out by end of week.  That will contain everything you need 
to get rolling.


On 3/3/19 6:57 PM, Damian Chiliński via Snort-devel wrote:
> Hello.
> As part of academic research I'd like to write simple Snort 
> plugin/module that would try to detect DNS tunneling (DNS exfiltration 
> precisely) basing on few heuristics. I've read through Snort 3 Manual 
> and took a look at examples in snort3/snort3_extra repository. After 
> initial research I guess I have some basic concept of available 
> plugins types and their purpose.
> However there's one thing that is still unclear to me: What actually 
> is SO rule? SO rules explanations in manual are a bit... vogue at 
> least. Also "example" in snort3/snort3_extra repo is so simple that it 
> doesn't show anything. How do SO rules work? How does user activate 
> such rule, are they activated somehow in .rules files or directly in 
> .lua config files? How user interacts with such rule (passes some 
> config) and which packets are passed to them? My knowledge regarding 
> SO rules is definitely insufficient and I'm not sure where to look for 
> additional information about them or more examples.
> Best regards
> Damian Chilinski
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
> Please visithttp://blog.snort.org  for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190326/6d13524b/attachment.html>

More information about the Snort-devel mailing list