[Snort-sigs] F5 BIG-IP

Geoffrey Serrao gserrao at ...435...
Fri Feb 10 17:56:28 EST 2017


It means that instead of rule options evaluated separated in a rule tree
(as is the case with text rules) the fast pattern candidate calls a
complete detection function already compiled in c.

The source code for shared objects are available when you download the
ruleset. For this particular sid the file is
src/server-other_f5-bigip-memory-disclosure.c

On Fri, Feb 10, 2017 at 5:50 PM, Joshua Ochsankehl <
joshua.ochsankehl at ...2420...> wrote:

> Does that mean there is a plugin or process outside of the snort rule
> inspecting the traffic?
>
> On Fri, Feb 10, 2017 at 4:39 PM, Y M <snort at ...3751...> wrote:
>
>> This is a gid:3 signature; a shared object rule. The detection part of a
>> is a compiled object. What you see is the signature stub.
>>
>> YM
>> ------------------------------
>> *From:* Joshua Ochsankehl <joshua.ochsankehl at ...2420...>
>> *Sent:* Saturday, February 11, 2017 1:31:26 AM
>> *To:* snort-sigs at lists.sourceforge.net
>> *Subject:* [Snort-sigs] F5 BIG-IP
>>
>> Snort talos rules 41547-8 don't contain any content and only have
>> commands within metadata.  What is it actually doing?
>>
>> V/R,
>> Joshua "Ox" Ochsankehl
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>> http://www.snort.org
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
>> to stay up to date to catch the most <a href="
>> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170210/85f8f1ec/attachment.html>


More information about the Snort-sigs mailing list