[Snort-sigs] [Emerging-Sigs] can someone explain so rules to me?

Joel Esler eslerj at ...2420...
Thu Jul 30 16:24:28 EDT 2009


Might I suggest pulled-pork.  It takes care of your so_rules stubs, etc,
 for you.
http://code.google.com/p/pulledpork/

Very simple to use.

Joel

On Thu, Jul 30, 2009 at 5:44 AM, Kevin Ross <kevross33 at ...3390...>wrote:

> Hey, yeah I looked at this and followed the way it said but I think I am
> doing something wrong. The bit I was mainly confused about is I take it I
> put the so rules in the downloaded rule archive into a directory where snort
> can read them and convert them into to .rules files using the below command.
> Because I didn't know where the .so rules in the precompiled rules were to
> go I assumed snort_dynamicrules directory but it never dumped the .rules
> file where I expected them so I was a bit confused where I was going wrong.
> I want to get them working on my sensors at work though and also my
> smoothwall at home (I have a home VRT subscription and want to use these
> rules).
>
> snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules
>
>
>
> 2009/7/29 Mike Guiterman <mguiterman at ...435...>
>
>> Check out the VRT blog post on the topic:
>> http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html
>>
>>
>> On Wed, Jul 29, 2009 at 10:44 AM, Kevin Ross <kevross33 at ...3390...>wrote:
>>
>>> Kind of. At least what they are. How do you get Snort to use them?
>>>
>>> Thanks, Kev
>>>
>>> 2009/7/29 Mike Guiterman <mguiterman at ...435...>
>>>
>>> Hi,
>>>>
>>>> Here's an FAQ on so_rules.  Hopefully this helps.
>>>>
>>>>
>>>>  What are the Shared Object Rules (SOs)?
>>>>
>>>> A Shared Object (SO) rule is a loadable Snort module that can quickly
>>>> extend the detection capabilities of Snort.  Beginning with Snort 2.6.0
>>>> an API to the detection engine was added that allows anyone familiar with
>>>> the C programming language to quickly extended the detection capabilities of
>>>> Snort.  This allows for detection of vulnerabilities that could not be
>>>> detected using the using the standard text based Snort rules language.
>>>>
>>>>
>>>>
>>>>
>>>> Additionally this functionality allows the Sourcefire VRT to release
>>>> protected detection modules that cannot be reviewed without binary reverse
>>>> engineering.  Sourcefire refers to these protected detection modules as
>>>> restricted SO rules.
>>>>
>>>>
>>>> Why are there restricted SO rules I thought Snort was Open Source?
>>>>
>>>> To protect Sourcefire customers, open-source users, and anyone using
>>>> Snort, Sourcefire has joined numerous programs like Microsoft MAPP.  These
>>>> programs allow vendors like Microsoft to share vulnerability information
>>>> with Sourcefire, sometimes before patches are available.  This allows
>>>> the Sourcefire VRT to prepare detection before attackers have time to figure
>>>> out what the vulnerability is and how to exploit it.   Since
>>>> `restricted’ detection modules contain sensitive information about the
>>>> vulnerabilities they provide detection for, these modules have to be
>>>> protected.  This is why the restricted SO rules are not in plain text,
>>>> and is also the reason the C source code is not shipped in the rules
>>>> snapshots.
>>>>
>>>>
>>>> What is a Stub-Rule?
>>>>
>>>> For Snort to correctly load SO rules it needs a bit of information about
>>>> the SO rules it is attempting to load.  This is the function of
>>>> stub-rules; a stub-rule is a plain text rule that looks very much like a
>>>> standard Snort rule.  However, these stub-rules don’t contain any
>>>> detection keywords like “content, pcre, byte_jump, etc”, they only contain
>>>> informational Snort keywords like “sid, gid, soid, metadata, classtype,
>>>> etc”.  Snort uses these stub rules to determine which SO rules you want
>>>> activated in your detection policy.
>>>>
>>>>
>>>>
>>>> If the stub-rule isn’t in your rules files or in your snort.conf then
>>>> Snort will not attempt to load the SO rule that is associated with it.
>>>>
>>>>
>>>>
>>>> What is a pre-compiled SO rule?
>>>>
>>>> Since there are restricted SO rules the only way to deliver some content
>>>> is for the Sourcefire VRT to compile the restricted SO rules and only ship
>>>> the binary versions of these files.  Sourcefire refers to these binary
>>>> modules as pre-compiled SO rules.  Catchy huh?
>>>>
>>>>  *What is a rules snapshot?*
>>>>
>>>> Sourcefire refers to the packages that end-users download from
>>>> snort.org which contain the rules, pre-compiled SO rules, C source for
>>>> some SO rules, and other supporting documentation for the rules as rule
>>>> snapshots.
>>>>
>>>>
>>>> I’m compiling the SO rules from source why am I missing some rules?
>>>>
>>>> Some SO rules are restricted from being shipped in source-code format.
>>>> They are only shipped as pre-compiled SO rules.  This is why building
>>>> from source doesn’t result in the same number of rules as are contained in
>>>> the pre-compiled SO rules.
>>>>
>>>>
>>>> When I download the rules snapshot file I can't find the SIDs mentioned
>>>> in the advisory?
>>>>
>>>> If a rule was shipped as a restricted SO file you can’t just grep or do
>>>> a text search for the SID anymore. You’ll need to actually load all the
>>>> pre-compiled SO rules and dump out the stub rules to get all the necessary
>>>> SID’s for Snort to use in its detection policies.
>>>>
>>>>
>>>> Where do I find the stub rules file for SO rules?
>>>>
>>>> To get all the necessary stub rules to use for the SO rules you’ll need
>>>> to configure Snort to load the SO rules and then run Snort with a command
>>>> line option of “—dump-dynamic-rules <path>”.  This will dump out all
>>>> the necessary stub rules for the SOs that are loaded.
>>>>
>>>>
>>>>
>>>> Please see the Snort manual for how to include SO rules in your
>>>> snort.conf.
>>>>
>>>>
>>>> What platforms are supported for pre-compiled SO rules
>>>>
>>>> The currently support platform list as of 10/28/08 is the following.
>>>>
>>>>             Centos 4.6 – 32bit X86
>>>>
>>>>             Centos 5.0 – 32bit X86
>>>>
>>>>             Centos 5.0 – 64bit X86
>>>>
>>>>             Fedora Core 5 – 32bit X86
>>>>
>>>>             Fedora Core 9 – 32bit X86
>>>>
>>>>             Fedora Core 9 – 64bit X86
>>>>
>>>>             FreeBSD 7 – 32bit X86
>>>>
>>>>             Red Hat Enterprise 5.0 – 64bit X86
>>>>
>>>>             Ubuntu 6.01 – 32bit X86
>>>>
>>>>             Ubuntu 8.04 – 64bit X86
>>>>   What do I do if the rules snapshot file doesn't include a
>>>> pre-compiled binary for my OS?
>>>>
>>>> For the adventurous you can try any of the supported platforms listed
>>>> above, and see if they work on your platform.  If they don’t you can
>>>> send a message to snort-feedback at ...95... for potential inclusion in a
>>>> future release.
>>>>
>>>>
>>>> Does the VRT have plans to add support for my OS?
>>>>
>>>> Right now we are considering adding a few additional platforms.  The
>>>> following platforms will never have support, as Snort or SO rules are
>>>> incompatible with that platform.  This is not a complete list of
>>>> incompatible platforms.
>>>>
>>>>
>>>>
>>>>             Windows
>>>>
>>>>             AIX
>>>>
>>>>             Solaris/Sun on SPARC
>>>>
>>>>             HP-UX
>>>>
>>>>             SGI
>>>>
>>>>             IRIX
>>>>
>>>>
>>>> Can you modify the SO rule stubs to change HOME_NET / EXTERNAL_NET and
>>>> other attributes of the rule? Yes, anything that is exported as part of
>>>> the stub rule that is the same as a normal Snort rule can be modified, and
>>>> works that same way the text snort rules work.
>>>>
>>>> On Tue, Jul 28, 2009 at 6:20 PM, Kevin Ross <kevross33 at ...3390...>wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I was wondering if someone could explain .so (shared object) rules to
>>>>> me? Just the VRT team seems to be using them more and more to deal with
>>>>> certain things (like todays out of band microsoft patch).
>>>>>
>>>>> What I want to know is:
>>>>>
>>>>> 1) why have them?
>>>>> 2) how do they work/what do they do?
>>>>> 3) how to use them
>>>>>
>>>>> Thanks in advance.
>>>>>
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at ...3335...
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>>
>>>>>
>>>>
>>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-- Joel Esler | http://joelesler.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090730/3de76917/attachment.html>


More information about the Snort-sigs mailing list