[Snort-users] Quick question about so_rules. I tried searching first......

Andy Berryman aberryman at ...14758...
Tue Mar 16 17:38:50 EDT 2010

I tried pulling up the archives, but it's saying it's not activated?


Anyway, I'm trying to wrap my head around so_rules and thought I was in the
clear, but just want to double check.

If we download the subscription release from url =
untar it and use the FC-5 rule set, do we still need to generate the
stub rules? I'm reading this document, and it's got me confused a little.

If I "cat /usr/local/lib/snort_dynamicrule/bad-traffic.so" I get all kinds
of gooble-gook on my screen as the rules scroll by. I'm assuming its b/c
they are in programming code.

But, if I go to /usr/local/etc/snort/so_rules and cat bad-traffic.rules, I
see actual rules scroll by like this one:

alert ip any any -> any any (msg:"BAD-TRAFFIC Windows remote kernel tcp/ip
igmp vulnerability exploit attempt"; sid:13287; gid:3; rev:3;
classtype:attempted-admin; reference:cve,2007-0069; reference:url,
www.microsoft.com/technet/security/Bulletin/MS08-001.mspx; metadata: engine
shared, soid 3|13287;)

So, does this mean my rules and rule stubs are being generated correctly?

Or since we are using the precompiled FC-5 rules, do I even need to worry
about them being generated? Do, I just need to make sure my
snort_dynamicrule directory is there and the so_rules are there from the
FC-5 so_rules directory?


Andy Berryman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100316/b800f2ab/attachment.html>

More information about the Snort-users mailing list