[Snort-users] Shared Object Rules vs. the New Rules Language

Jennifer Steffens jennifer.steffens at ...1935...
Thu May 18 12:58:17 EDT 2006

Hey everyone,

There seems to be a good deal of confusion over the recent release of
Shared Object (SO) rules and the future of the rules language so I
thought I would try to clear things up a bit.

First off the new SO Rule option is not the new rules language.  SO
Rules are intended to provide researchers with the ability to write more
complex rules for enhanced detection. In addition, we are working on a
new rules language for the Snort 3.0 release that will be developed
independently of the SO rule option. The timeframe for this release is
currently unknown but I can assure the community that details will be
forthcoming as we move forward.

Now to answer a few of the questions we have received lately:

1. Just what is an SO rule?

An SO rule is a loadable Snort module that can quickly extend the
detection capabilities of Snort. We have added an API to the detection
engine so that vulnerability researchers aren't restricted by the finite
number of Snort keywords when writing rules. This also allows the rule
writer to do some very complex things as they now have the full power of
the C language at their disposal.

2. So do I have to learn C to write Snort rules now?

No. SO rules are certainly an option but you are still free to use the
standard Snort rules language. This release simply provides additional
functionality, we have not removed any. We might force you to learn LISP
in the future though.  Just kidding  :-)

3. Why not just use the SPP or detection C templates?

SO rules provide a flexible way to add detection functionality.
Writing preprocessors and detection keywords requires a considerable
amount of research and time as they are multi-functional and are used to
detect pieces of many of vulnerabilities. On the other hand, SO rules
are focused on a specific vulnerability, making them less complex to
write and use.

4. Is the SO API GPL?

Yes the API has been released under the GPL.

5. So should I create an environment for my Snort sensors to compile SO

While not required we would certainly recommend it. As mentioned before,
these provide users with the ability to write much more complex rules.

I hope this helps to clear up some of the confusion. We will be adding
the above information to the Snort FAQs. If you have any questions, just
let us know.


Jennifer S. Steffens
Director, Product Management - Snort
Sourcefire - Security for the Real World
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org

More information about the Snort-users mailing list