[Snort-users] Rule performance profiling question

Joel Esler jesler at ...1935...
Thu Sep 16 11:46:20 EDT 2010

There are many reasons that SO rules are made.

ONE of which is that Sourcefire has agreements with organizations that
obfuscation of the detection method for those rules is necessary.

SO rules are also "C".  This allows a lot more complex detection than is
available in the plaintext Snort language.

For example, if we have to take two dynamically calculated numbers from two
different parsed file formats and compare them to each other.


On Thu, Sep 16, 2010 at 11:24 AM, waldo kitty <wkitty42 at ...14940...>wrote:

> On 9/16/2010 09:07, Andy Berryman wrote:
> > Joel wrote that they “both are SO rules.”
> >
> > What does that have to do with it? Does it make a difference that they
> are so
> > rules?
> yes... because they are GID:3 while the normal text rules in the *.rules
> files
> are GID:1... GID:3 are binary and if one is not using them, one cannot
> locate
> their SID ;)
> with GID:3 being binary, there is also the problem of them having to be
> distributed in pre-compiled format... that means that they must be
> compatible
> with one's kernel and environment... if there are no pre-compiled rules
> that fit
> one's kernel and environment, then one cannot use GID:3 rules at all...
> well,
> not unless their source is available and can be compiled for one's
> environment... however, making the source for GID:3 rules available negates
> the
> reason for their existence in the first place... that reason is to prevent
> folk
> from seeing what is being detected and how so that they cannot work to
> avoid the
> detection...
> IIUC, GID:3 rules detect traffic problems that have not yet been made
> public...
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100916/855ef776/attachment.html>

More information about the Snort-users mailing list