[Snort-users] Which so_rules to use

Charlie Dyer charlierwdyer at ...11827...
Sun May 28 12:05:37 EDT 2017


But then don't you miss out on the detections​ that only Cisco has, 0days
and NDA detections for example, that won't have source like Joel mentioned
in the initial reply?



On Sunday, May 28, 2017, James Lay <jlay at ...13475...> wrote:

> If it was me I would go from source if possible, so I can tweak it to
> my exact system.
> James
> On Sun, 2017-05-28 at 10:16 +0100, Charlie Dyer wrote:
> > Is anyone able to answer the query below?
> >
> > Essentially,  if you have two .so files with the same name, one
> > compiled
> > from src and one precompiled, which should you use?
> >
> > Many thanks
> >
> > On Wednesday, May 24, 2017, Charlie Dyer <charlierwdyer at ...11827...
> <javascript:;>>
> > wrote:
> >
> > >
> > > Yes I've compiled the src, my question is if you have two .so files
> > > with
> > > the same name, one compiled from src and one precompiled, which
> > > should you
> > > use?
> > > As you say the precompiled one will have stuff in that the src
> > > doesn't,
> > > but will the src .so files have stuff in the precompiled ones
> > > don't?
> > >
> > >
> > > On Wed, May 24, 2017 at 8:55 PM, Joel Esler (jesler)
> > > com
> > > 'jesler at ...589... <javascript:;>');>> wrote:
> > >
> > > >
> > > > If we provide the src, you can compile them on your own.  The
> > > > pre-compiled ones are without src, and contain a ton of detection
> > > > not
> > > > available anywhere else (zero-days that only we have protection
> > > > for, etc).
> > > >
> > > >
> > > >
> > > > *--*
> > > > *Joel Esler *| *Talos:* Manager | jesler at ...589... <javascript:;>
> > > > 'jesler at ...589... <javascript:;>');>
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On May 24, 2017, at 3:06 PM, Charlie Dyer
> > > > m
> > > > 'charlierwdyer at ...11827... <javascript:;>');>> wrote:
> > > >
> > > > Thanks for your reply, I'll take a look at pulledpork.
> > > > Can you tell me if the .so files are actually the same and the
> > > > size
> > > > difference is just down to compilation differences? Or do the
> > > > precompiled
> > > > and src .so files essentially contain different 'stuff'?
> > > >
> > > >
> > > > On Wed, May 24, 2017 at 5:29 PM, Joel Esler (jesler)
> > > > o.com
> > > > 'jesler at ...589... <javascript:;>');>> wrote:
> > > >
> > > > >
> > > > > You should use pulledpork to manage your ruleset, it will take
> > > > > care of
> > > > > which version you need, according to the operating system you
> > > > > are using or
> > > > > the one you specify.
> > > > >
> > > > > *--*
> > > > > *Joel Esler *| *Talos:* Manager | jesler at ...589... <javascript:;>
> > > > > 'jesler at ...589... <javascript:;>');>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On May 24, 2017, at 9:14 AM, Charlie Dyer
> > > > > com
> > > > > 'charlierwdyer at ...11827... <javascript:;>');>>
> > > > > wrote:
> > > > >
> > > > > Hello
> > > > >
> > > > > I've compiled the so_rules from the src folder but see there
> > > > > are
> > > > > precompiled so_rules with the same name, but some of them have
> > > > > vastly
> > > > > different file sizes.  There are also precompiled .so files
> > > > > which aren't
> > > > > in
> > > > > the src folder once compiled and vice versa.
> > > > >
> > > > > Does anyone know which .so files to use?  For example there is
> > > > > a
> > > > > file-flash.so in the precompiled folder and the src folder,
> > > > > which should
> > > > > I
> > > > > use?
> > > > >
> > > > > Many thanks
> > > > > ------------------------------------------------------------
> > > > > ------------------
> > > > > Check out the vibrant tech community on one of the world's most
> > > > > engaging tech sites, Slashdot.org <http://slashdot.org/>!
> > > > > http://sdm.link/slashdot
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users at lists.sourceforge.net <javascript:;>
> > > > > 'Snort-users at lists.sourceforge.net <javascript:;>
> > > > > ');>
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-u
> > > > > sers
> > > > >
> > > > > Please visit http://blog.snort.org to stay current on all the
> > > > > latest
> > > > > Snort news!
> > > > >
> > > > >
> > > > >
> > > >
> > -------------------------------------------------------------------
> > -----------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net <javascript:;>
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net <javascript:;>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



More information about the Snort-users mailing list