[Snort-users] Precomplies so_rules for debian 8 (snortrules-snapshot-2980.tar.gz)

wkitty42 at ...14940... wkitty42 at ...14940...
Thu Feb 18 06:24:44 EST 2016

On 02/18/2016 05:18 AM, Balasubramaniam Natarajan wrote:
> On Tue, Feb 16, 2016 at 10:54 PM, <wkitty42 at ...14940...> wrote:
>     IIRC, compiling them should be as simple as running make... that means a build
>     environment which is generally undesirable on a security device but one could
>     easily have a central server that pulls the rules, compiles the so_rules and
>     then all the sensors pull from that central server instead of from outside
>     servers...
> I don't think Sourcefire or now Cisco would ship the source code of those.
> That is why they were shipping the precompiled versions of those.

you might want to take a closer look at the rules snapshot files, then... in the 
ones i have available here, there is a so_rules/src directory with 166 .c and .h 
files along with a make file, readme and a test.conf file... looking in the 
so_rules/precompiled directory, i see 32 .so files in each one... how the make 
process puts them all together is majik to me ;)

granted, not all precompiled rules have their sources in the src directory but a 
lot of them appear to... i haven't tried building them in a while so i don't 
know how many .so files will be generated and my build environment where i used 
to play with this stuff is old and outdated now... one should look at the 
makefile and ensure that they compile what they need (eg: 
--enable-non-ether-encoders requires changes) when they compile their snort and 
the shared object rules to go with it...

> I do agree to your second statement of not having build environment on
> security devices.

thank you :)

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list