[Snort-users] Quick question about so_rules. I tried searching first......

Joel Esler joel.esler at ...14399...
Tue Mar 16 18:59:22 EDT 2010


Also, this may help:

http://vrt-sourcefire.blogspot.com/2009/01/using-vrt-certified-shared-object-rules.html

Joel


On Mar 16, 2010, at 6:56 PM, Matt Olney wrote:

> Rule stub -> alert ip any any -> any any (msg:"BAD-TRAFFIC Windows
> remote kernel tcp/ip igmp vulnerability exploit attempt"; sid:13287;
> gid:3; rev:3; classtype:attempted-admin; reference:cve,2007-0069;
> reference:url,www.microsoft.com/technet/security/Bulletin/MS08-001.mspx;
> metadata: engine shared, soid 3|13287;)
> 
> Don't cat this, its your compiled detection -->
> /usr/local/lib/snort_dynamicrule/bad-traffic.so
> 
> Make sure you have that location in  your snort.conf -->
> dynamicdetection directory /usr/local/lib/snort_dynamicrules
> (Make sure you know if there is an s or not in snort_dynamicrules your
> example didn't have one)
> 
> Let us know how it goes.
> 
> Matt
> 
> 
> On Tue, Mar 16, 2010 at 5:38 PM, Andy Berryman <aberryman at ...14758...> wrote:
>> I tried pulling up the archives, but it's saying it's not activated?
>> 
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> 
>> 
>> 
>> 
>> Anyway, I'm trying to wrap my head around so_rules and thought I was in the
>> clear, but just want to double check.
>> 
>> 
>> 
>> If we download the subscription release from url =
>> http://www.snort.org/pub-bin/oinkmaster.cgi/oinkcode/snortrules-snapshot-2.8_s.tar.gz
>> and untar it and use the FC-5 rule set, do we still need to generate the
>> stub rules? I'm reading this document, and it's got me confused a little.
>> http://www.snort.org/snort-rules/about-so_rules
>> 
>> 
>> 
>> 
>> 
>> If I "cat /usr/local/lib/snort_dynamicrule/bad-traffic.so" I get all kinds
>> of gooble-gook on my screen as the rules scroll by. I'm assuming its b/c
>> they are in programming code.
>> 
>> 
>> 
>> But, if I go to /usr/local/etc/snort/so_rules and cat bad-traffic.rules, I
>> see actual rules scroll by like this one:
>> 
>> alert ip any any -> any any (msg:"BAD-TRAFFIC Windows remote kernel tcp/ip
>> igmp vulnerability exploit attempt"; sid:13287; gid:3; rev:3;
>> classtype:attempted-admin; reference:cve,2007-0069;
>> reference:url,www.microsoft.com/technet/security/Bulletin/MS08-001.mspx;
>> metadata: engine shared, soid 3|13287;)
>> 
>> 
>> 
>> 
>> 
>> So, does this mean my rules and rule stubs are being generated correctly?
>> 
>> 
>> 
>> Or since we are using the precompiled FC-5 rules, do I even need to worry
>> about them being generated? Do, I just need to make sure my
>> snort_dynamicrule directory is there and the so_rules are there from the
>> FC-5 so_rules directory?
>> 
>> 
>> 
>> Thanks,
>> 
>> Andy Berryman
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Download Intel® Parallel Studio Eval
>> Try the new software tools for yourself. Speed compiling, find bugs
>> proactively, and fine-tune applications for parallel performance.
>> See why Intel Parallel Studio got high marks during beta.
>> http://p.sf.net/sfu/intel-sw-dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
http://blog.joelesler.net






More information about the Snort-users mailing list