[Snort-sigs] Sourcefire VRT Certified Snort Rules Update

Sethsec sethsec at ...2420...
Mon Apr 20 12:38:53 EDT 2009


Not a bad idea at all. I second!

Might help avoid a false sense of confidence for those first wrapping  
their heads around so rules.

Sent from my iPhone


On Apr 9, 2009, at 4:50 PM, Zultan <zultan at ...1298...> wrote:

>
>> ----- Original Message -----
>> From: "Nigel Houghton" <nhoughton at ...435...>
>> To: Zultan <zultan at ...1298...>
>> Cc: snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
>> Date: Thu, 9 Apr 2009 09:30:53 -0400
>>
>>
>> On Thu, Apr 9, 2009 at 4:50 AM, Zultan <zultan at ...1298...>  
>> wrote:
>>> Updated to 2.8.4 today and these rules were not in the latest  
>>> subscription
>>> rule-set for 2.8.
>>>
>>> They're in the precompiled .so binaries, but not in the ASCII .rules
>>> so_rules files.
>>>
>>> DynamicPlugin: Rule [3:15433] not enabled in configuration, rule  
>>> will not
>>> be used.
>>> DynamicPlugin: Rule [3:15449] not enabled in configuration, rule  
>>> will not
>>> be used.
>>> DynamicPlugin: Rule [3:15450] not enabled in configuration, rule  
>>> will not
>>> be used
>>> DynamicPlugin: Rule [3:15451] not enabled in configuration, rule  
>>> will not
>>> be used.
>>> DynamicPlugin: Rule [3:15452] not enabled in configuration, rule  
>>> will not
>>> be used.
>>>
>>> Regards,
>>>
>>> Z
>>
>> http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
>>
>>
>> "Dumping the rules
>>
>> To dump the rule stub files into the required location the
>> --dump-dynamic-rules option is used like so:
>>
>> snort -c /usr/local/etc/snort/snort.conf
>> --dump-dynamic-rules=/usr/local/etc/snort/so_rules
>>
>> This command tells snort to use the snort.conf file where it will  
>> find
>> the dynamic rule files (thanks to the configuration options above)  
>> and
>> then use those files to generate the stub files and put them into
>> /usr/local/etc/snort/so_rules/
>>
>> After this is complete, the rule files appear in the directory."
>>
>> --
>> Nigel Houghton
>> Head Mentalist
>> SF VRT
>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
>>
>
> Thanks Nigel,
>
> If we're supposed to build our own rule stub files, then what's the  
> point of providing an incomplete set in the rules tarball?
>
> Why not just have a README in the so_rules directory that says to do  
> what the VRT blog post says?
>
> Regards,
>
> Z
>
>
>
> -- 
> Be Yourself @ mail.com!
> Choose From 200+ Email Addresses
> Get a Free Account at www.mail.com
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> This SF.net email is sponsored by:
> High Quality Requirements in a Collaborative Environment.
> Download a free trial of Rational Requirements Composer Now!
> http://p.sf.net/sfu/www-ibm-com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list