[Snort-users] Which so_rules to use

Charlie Dyer charlierwdyer at ...11827...
Sun May 28 13:29:12 EDT 2017


Could someone from Cisco or Snort team provide a definitive answer, or link
to documentation that explains the difference between precomputed and built
from source so_rules, the scenarios where you would use one over the other
and whether you would ever want to use both, and how to do that.

Many thanks, appreciate your responses.

Chaz

On Sunday, May 28, 2017, James Lay <jlay at ...13475...> wrote:

> Probably.  Truth be told I've never got with the source...just rolled with
> the precompiled and never had a second thought about it ☺
>
> On Sun, 2017-05-28 at 17:05 +0100, Charlie Dyer wrote:
>
> But then don't you miss out on the detections that only Cisco has, 0days
> and NDA detections for example, that won't have source like Joel mentioned
> in the initial reply?
>
>
>
> On Sunday, May 28, 2017, James Lay <jlay at ...13475...
> <javascript:_e(%7B%7D,'cvml','jlay at ...13475...');>> wrote:
>
> If it was me I would go from source if possible, so I can tweak it to
> my exact system.
> James
> On Sun, 2017-05-28 at 10:16 +0100, Charlie Dyer wrote:
> > Is anyone able to answer the query below?
> >
> > Essentially,  if you have two .so files with the same name, one
> > compiled
> > from src and one precompiled, which should you use?
> >
> > Many thanks
> >
> > On Wednesday, May 24, 2017, Charlie Dyer <charlierwdyer at ...11827...>
> > wrote:
> >
> > >
> > > Yes I've compiled the src, my question is if you have two .so files
> > > with
> > > the same name, one compiled from src and one precompiled, which
> > > should you
> > > use?
> > > As you say the precompiled one will have stuff in that the src
> > > doesn't,
> > > but will the src .so files have stuff in the precompiled ones
> > > don't?
> > >
> > >
> > > On Wed, May 24, 2017 at 8:55 PM, Joel Esler (jesler)
> > > com
> > > 'jesler at ...589...');>> wrote:
> > >
> > > >
> > > > If we provide the src, you can compile them on your own.  The
> > > > pre-compiled ones are without src, and contain a ton of detection
> > > > not
> > > > available anywhere else (zero-days that only we have protection
> > > > for, etc).
> > > >
> > > >
> > > >
> > > > *--*
> > > > *Joel Esler *| *Talos:* Manager | jesler at ...589...
> > > > 'jesler at ...589...');>
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On May 24, 2017, at 3:06 PM, Charlie Dyer
> > > > m
> > > > 'charlierwdyer at ...11827...');>> wrote:
> > > >
> > > > Thanks for your reply, I'll take a look at pulledpork.
> > > > Can you tell me if the .so files are actually the same and the
> > > > size
> > > > difference is just down to compilation differences? Or do the
> > > > precompiled
> > > > and src .so files essentially contain different 'stuff'?
> > > >
> > > >
> > > > On Wed, May 24, 2017 at 5:29 PM, Joel Esler (jesler)
> > > > o.com
> > > > 'jesler at ...589...');>> wrote:
> > > >
> > > > >
> > > > > You should use pulledpork to manage your ruleset, it will take
> > > > > care of
> > > > > which version you need, according to the operating system you
> > > > > are using or
> > > > > the one you specify.
> > > > >
> > > > > *--*
> > > > > *Joel Esler *| *Talos:* Manager | jesler at ...589...
> > > > > 'jesler at ...589...');>
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On May 24, 2017, at 9:14 AM, Charlie Dyer
> > > > > com
> > > > > 'charlierwdyer at ...11827...');>>
> > > > > wrote:
> > > > >
> > > > > Hello
> > > > >
> > > > > I've compiled the so_rules from the src folder but see there
> > > > > are
> > > > > precompiled so_rules with the same name, but some of them have
> > > > > vastly
> > > > > different file sizes.  There are also precompiled .so files
> > > > > which aren't
> > > > > in
> > > > > the src folder once compiled and vice versa.
> > > > >
> > > > > Does anyone know which .so files to use?  For example there is
> > > > > a
> > > > > file-flash.so in the precompiled folder and the src folder,
> > > > > which should
> > > > > I
> > > > > use?
> > > > >
> > > > > Many thanks
> > > > > ------------------------------------------------------------
> > > > > ------------------
> > > > > Check out the vibrant tech community on one of the world's most
> > > > > engaging tech sites, Slashdot.org <http://slashdot.org/>!
> > > > > http://sdm.link/slashdot
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users at lists.sourceforge.net
> > > > > 'Snort-users at lists.sourceforge.net
> > > > > ');>
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-u
> > > > > sers
> > > > >
> > > > > Please visit http://blog.snort.org to stay current on all the
> > > > > latest
> > > > > Snort news!
> > > > >
> > > > >
> > > > >
> > > >
> > -------------------------------------------------------------------
> > -----------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>



More information about the Snort-users mailing list