[Snort-users] Which so_rules to use

James Lay jlay at ...13475...
Sun May 28 12:43:48 EDT 2017


Probably.  Truth be told I've never got with the source...just rolled
with the precompiled and never had a second thought about it ☺
On Sun, 2017-05-28 at 17:05 +0100, Charlie Dyer wrote:
> But then don't you miss out on the detections that only Cisco has,
> 0days and NDA detections for example, that won't have source like
> Joel mentioned in the initial reply?
> 
> 
> 
> On Sunday, May 28, 2017, James Lay <jlay at ...13475...> wrote:
> > If it was me I would go from source if possible, so I can tweak it
> > to
> > my exact system.
> > James
> > On Sun, 2017-05-28 at 10:16 +0100, Charlie Dyer wrote:
> > > Is anyone able to answer the query below?
> > >
> > > Essentially,  if you have two .so files with the same name, one
> > > compiled
> > > from src and one precompiled, which should you use?
> > >
> > > Many thanks
> > >
> > > On Wednesday, May 24, 2017, Charlie Dyer <charlierwdyer at ...11827...
> > >
> > > wrote:
> > >
> > > >
> > > > Yes I've compiled the src, my question is if you have two .so
> > files
> > > > with
> > > > the same name, one compiled from src and one precompiled, which
> > > > should you
> > > > use?
> > > > As you say the precompiled one will have stuff in that the src
> > > > doesn't,
> > > > but will the src .so files have stuff in the precompiled ones
> > > > don't?
> > > >
> > > >
> > > > On Wed, May 24, 2017 at 8:55 PM, Joel Esler (jesler)
> > > > com
> > > > 'jesler at ...589...');>> wrote:
> > > >
> > > > >
> > > > > If we provide the src, you can compile them on your own.  The
> > > > > pre-compiled ones are without src, and contain a ton of
> > detection
> > > > > not
> > > > > available anywhere else (zero-days that only we have
> > protection
> > > > > for, etc).
> > > > >
> > > > >
> > > > >
> > > > > *--*
> > > > > *Joel Esler *| *Talos:* Manager | jesler at ...589...
> > > > > 'jesler at ...589...');>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On May 24, 2017, at 3:06 PM, Charlie Dyer
> > > > > m
> > > > > 'charlierwdyer at ...11827...');>> wrote:
> > > > >
> > > > > Thanks for your reply, I'll take a look at pulledpork.
> > > > > Can you tell me if the .so files are actually the same and
> > the
> > > > > size
> > > > > difference is just down to compilation differences? Or do the
> > > > > precompiled
> > > > > and src .so files essentially contain different 'stuff'?
> > > > >
> > > > >
> > > > > On Wed, May 24, 2017 at 5:29 PM, Joel Esler (jesler)
> > > > > o.com
> > > > > 'jesler at ...589...');>> wrote:
> > > > >
> > > > > >
> > > > > > You should use pulledpork to manage your ruleset, it will
> > take
> > > > > > care of
> > > > > > which version you need, according to the operating system
> > you
> > > > > > are using or
> > > > > > the one you specify.
> > > > > >
> > > > > > *--*
> > > > > > *Joel Esler *| *Talos:* Manager | jesler at ...589...
> > > > > > 'jesler at ...589...');>
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On May 24, 2017, at 9:14 AM, Charlie Dyer
> > > > > > com
> > > > > > 'charlierwdyer at ...11827...');>>
> > > > > > wrote:
> > > > > >
> > > > > > Hello
> > > > > >
> > > > > > I've compiled the so_rules from the src folder but see
> > there
> > > > > > are
> > > > > > precompiled so_rules with the same name, but some of them
> > have
> > > > > > vastly
> > > > > > different file sizes.  There are also precompiled .so files
> > > > > > which aren't
> > > > > > in
> > > > > > the src folder once compiled and vice versa.
> > > > > >
> > > > > > Does anyone know which .so files to use?  For example there
> > is
> > > > > > a
> > > > > > file-flash.so in the precompiled folder and the src folder,
> > > > > > which should
> > > > > > I
> > > > > > use?
> > > > > >
> > > > > > Many thanks
> > > > > > ---------------------------------------------------------
> > ---
> > > > > > ------------------
> > > > > > Check out the vibrant tech community on one of the world's
> > most
> > > > > > engaging tech sites, Slashdot.org <http://slashdot.org/>!
> > > > > > http://sdm.link/slashdot
> > > > > > _______________________________________________
> > > > > > Snort-users mailing list
> > > > > > Snort-users at lists.sourceforge.net
> > > > > > 'Snort-users at lists.sourceforge.net
> > > > > > ');>
> > > > > > Go to this URL to change user options or unsubscribe:
> > > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > > Snort-users list archive:
> > > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=sno
> > rt-u
> > > > > > sers
> > > > > >
> > > > > > Please visit http://blog.snort.org to stay current on all
> > the
> > > > > > latest
> > > > > > Snort news!
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > ---------------------------------------------------------------
> > ----
> > > -----------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-use
> > rs
> > >
> > > Please visit http://blog.snort.org to stay current on all the
> > latest
> > > Snort news!
> > -----------------------------------------------------------------
> > -------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > 
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!


More information about the Snort-users mailing list