[Snort-users] [snort-user] Confused about so_rules

Mayur Patil ram.nath241089 at ...11827...
Wed Sep 4 05:25:03 EDT 2013


Hi,

   If rule files are already present in directory /etc/snort/so_rules

   why we need to create them again?

 from manual,

   3. Dump the stub rules by issuing the command:

   snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules

   4. Use a variable to define the path to the stub rules, for example:

       var $SO_RULE_PATH /etc/snort/so_rules

My questions are:

*1.   What is meant by "dump the stub rules"?*

  I have try to compile from source in  /so_rules/src directory by giving
make

  command but it is giving error

  so
*
2. how to compile rules direct so_rules C files?* *and is it necessary that
we need to create text rules for so_rules though we have c language rules??*

I have referred these links

http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html

http://searchitchannel.techtarget.com/tip/How-to-use-shared-object-rules-in-Snort

but

*3. not getting how to compile my own so_rules in C language and use it ?*

I am getting error
snort[3936]: Encoded Rule Plugin SID: 17132, GID: 3 not registered
properly. Disabling this rule.

where I have include rule in snort file.

I have referred these links:

http://seclists.org/snort/2012/q2/616

http://forum.pfsense.org/index.php?topic=30289.0

http://comments.gmane.org/gmane.comp.security.ids.snort.general/34197

Its very confusing,

Please guide me,

Thanks !
*
--
*
*Cheers,
Mayur*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130904/9d67eb09/attachment.html>


More information about the Snort-users mailing list