[Snort-users] [snort-user] Confused about so_rules

Joel Esler jesler at ...1935...
Wed Sep 4 08:08:08 EDT 2013


Using Pulledpork to update your rules takes care of this entire process for you.  

--
Joel Esler

> On Sep 4, 2013, at 5:25 AM, Mayur Patil <ram.nath241089 at ...11827...> wrote:
> 
> Hi,
> 
>    If rule files are already present in directory /etc/snort/so_rules
>  
>    why we need to create them again?
> 
>  from manual, 
> 
>    3. Dump the stub rules by issuing the command:
> 
>    snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules
> 
>    4. Use a variable to define the path to the stub rules, for example:
> 
>        var $SO_RULE_PATH /etc/snort/so_rules
> 
> My questions are:
> 
> 1.   What is meant by "dump the stub rules"?
> 
>   I have try to compile from source in  /so_rules/src directory by giving make 
> 
>   command but it is giving error
> 
>   so
> 
> 2. how to compile rules direct so_rules C files? and is it necessary that we need to create text rules for so_rules though we have c language rules??
> 
> I have referred these links
> 
> http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html
> 
> http://searchitchannel.techtarget.com/tip/How-to-use-shared-object-rules-in-Snort
> 
> but 
> 
> 3. not getting how to compile my own so_rules in C language and use it ?
> 
> I am getting error 
> snort[3936]: Encoded Rule Plugin SID: 17132, GID: 3 not registered properly. Disabling this rule.
> 
> where I have include rule in snort file.
> 
> I have referred these links:
> 
> http://seclists.org/snort/2012/q2/616
> 
> http://forum.pfsense.org/index.php?topic=30289.0
> 
> http://comments.gmane.org/gmane.comp.security.ids.snort.general/34197
> 
> Its very confusing,
> 
> Please guide me,
> 
> Thanks !
> 
> --
> Cheers,
> Mayur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130904/14470fa7/attachment.html>


More information about the Snort-users mailing list