[Snort-sigs] Sourcefire VRT Certified Snort Rules Update

Zultan zultan at ...1298...
Thu Apr 9 16:50:30 EDT 2009


> ----- Original Message -----
> From: "Nigel Houghton" <nhoughton at ...435...>
> To: Zultan <zultan at ...1298...>
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
> Date: Thu, 9 Apr 2009 09:30:53 -0400
> 
> 
> On Thu, Apr 9, 2009 at 4:50 AM, Zultan <zultan at ...1298...> wrote:
> > Updated to 2.8.4 today and these rules were not in the latest subscription 
> > rule-set for 2.8.
> >
> > They're in the precompiled .so binaries, but not in the ASCII .rules 
> > so_rules files.
> >
> > DynamicPlugin: Rule [3:15433] not enabled in configuration, rule will not 
> > be used.
> > DynamicPlugin: Rule [3:15449] not enabled in configuration, rule will not 
> > be used.
> > DynamicPlugin: Rule [3:15450] not enabled in configuration, rule will not 
> > be used
> > DynamicPlugin: Rule [3:15451] not enabled in configuration, rule will not 
> > be used.
> > DynamicPlugin: Rule [3:15452] not enabled in configuration, rule will not 
> > be used.
> >
> > Regards,
> >
> > Z
> 
> http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
> 
> 
> "Dumping the rules
> 
> To dump the rule stub files into the required location the
> --dump-dynamic-rules option is used like so:
> 
> snort -c /usr/local/etc/snort/snort.conf
> --dump-dynamic-rules=/usr/local/etc/snort/so_rules
> 
> This command tells snort to use the snort.conf file where it will find
> the dynamic rule files (thanks to the configuration options above) and
> then use those files to generate the stub files and put them into
> /usr/local/etc/snort/so_rules/
> 
> After this is complete, the rule files appear in the directory."
> 
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

>

Thanks Nigel,

If we're supposed to build our own rule stub files, then what's the point of providing an incomplete set in the rules tarball?

Why not just have a README in the so_rules directory that says to do what the VRT blog post says?

Regards,

Z



-- 
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com





More information about the Snort-sigs mailing list