[Snort-users] Which so_rules to use

James Lay jlay at ...13475...
Sun May 28 07:50:58 EDT 2017


If it was me I would go from source if possible, so I can tweak it to
my exact system.
James
On Sun, 2017-05-28 at 10:16 +0100, Charlie Dyer wrote:
> Is anyone able to answer the query below?
> 
> Essentially,  if you have two .so files with the same name, one
> compiled
> from src and one precompiled, which should you use?
> 
> Many thanks
> 
> On Wednesday, May 24, 2017, Charlie Dyer <charlierwdyer at ...11827...>
> wrote:
> 
> > 
> > Yes I've compiled the src, my question is if you have two .so files
> > with
> > the same name, one compiled from src and one precompiled, which
> > should you
> > use?
> > As you say the precompiled one will have stuff in that the src
> > doesn't,
> > but will the src .so files have stuff in the precompiled ones
> > don't?
> > 
> > 
> > On Wed, May 24, 2017 at 8:55 PM, Joel Esler (jesler) 
> > com
> > 'jesler at ...589...');>> wrote:
> > 
> > > 
> > > If we provide the src, you can compile them on your own.  The
> > > pre-compiled ones are without src, and contain a ton of detection
> > > not
> > > available anywhere else (zero-days that only we have protection
> > > for, etc).
> > > 
> > > 
> > > 
> > > *--*
> > > *Joel Esler *| *Talos:* Manager | jesler at ...589...
> > > 'jesler at ...589...');>
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > On May 24, 2017, at 3:06 PM, Charlie Dyer 
> > > m
> > > 'charlierwdyer at ...11827...');>> wrote:
> > > 
> > > Thanks for your reply, I'll take a look at pulledpork.
> > > Can you tell me if the .so files are actually the same and the
> > > size
> > > difference is just down to compilation differences? Or do the
> > > precompiled
> > > and src .so files essentially contain different 'stuff'?
> > > 
> > > 
> > > On Wed, May 24, 2017 at 5:29 PM, Joel Esler (jesler) 
> > > o.com
> > > 'jesler at ...589...');>> wrote:
> > > 
> > > > 
> > > > You should use pulledpork to manage your ruleset, it will take
> > > > care of
> > > > which version you need, according to the operating system you
> > > > are using or
> > > > the one you specify.
> > > > 
> > > > *--*
> > > > *Joel Esler *| *Talos:* Manager | jesler at ...589...
> > > > 'jesler at ...589...');>
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > 
> > > > On May 24, 2017, at 9:14 AM, Charlie Dyer 
> > > > com
> > > > 'charlierwdyer at ...11827...');>>
> > > > wrote:
> > > > 
> > > > Hello
> > > > 
> > > > I've compiled the so_rules from the src folder but see there
> > > > are
> > > > precompiled so_rules with the same name, but some of them have
> > > > vastly
> > > > different file sizes.  There are also precompiled .so files
> > > > which aren't
> > > > in
> > > > the src folder once compiled and vice versa.
> > > > 
> > > > Does anyone know which .so files to use?  For example there is
> > > > a
> > > > file-flash.so in the precompiled folder and the src folder,
> > > > which should
> > > > I
> > > > use?
> > > > 
> > > > Many thanks
> > > > ------------------------------------------------------------
> > > > ------------------
> > > > Check out the vibrant tech community on one of the world's most
> > > > engaging tech sites, Slashdot.org <http://slashdot.org/>!
> > > > http://sdm.link/slashdot
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users at lists.sourceforge.net
> > > > 'Snort-users at lists.sourceforge.net
> > > > ');>
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-u
> > > > sers
> > > > 
> > > > Please visit http://blog.snort.org to stay current on all the
> > > > latest
> > > > Snort news!
> > > > 
> > > > 
> > > > 
> > > 
> -------------------------------------------------------------------
> -----------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


More information about the Snort-users mailing list