[Snort-users] Which so_rules to use

Joel Esler (jesler) jesler at ...589...
Sun May 28 14:30:22 EDT 2017


Precompiled contains everything.   The ones you compile yourself exclude the rules you can't compile yourself.   The advantage is, you can read the source code for those.   



--
Sent from my iPhone

> On May 28, 2017, at 13:33, Charlie Dyer <charlierwdyer at ...11827...> wrote:
> 
> Could someone from Cisco or Snort team provide a definitive answer, or link
> to documentation that explains the difference between precomputed and built
> from source so_rules, the scenarios where you would use one over the other
> and whether you would ever want to use both, and how to do that.
> 
> Many thanks, appreciate your responses.
> 
> Chaz
> 
>> On Sunday, May 28, 2017, James Lay <jlay at ...13475...> wrote:
>> 
>> Probably.  Truth be told I've never got with the source...just rolled with
>> the precompiled and never had a second thought about it ☺
>> 
>> On Sun, 2017-05-28 at 17:05 +0100, Charlie Dyer wrote:
>> 
>> But then don't you miss out on the detections that only Cisco has, 0days
>> and NDA detections for example, that won't have source like Joel mentioned
>> in the initial reply?
>> 
>> 
>> 
>> On Sunday, May 28, 2017, James Lay <jlay at ...13475...
>> <javascript:_e(%7B%7D,'cvml','jlay at ...13475...');>> wrote:
>> 
>> If it was me I would go from source if possible, so I can tweak it to
>> my exact system.
>> James
>>> On Sun, 2017-05-28 at 10:16 +0100, Charlie Dyer wrote:
>>> Is anyone able to answer the query below?
>>> 
>>> Essentially,  if you have two .so files with the same name, one
>>> compiled
>>> from src and one precompiled, which should you use?
>>> 
>>> Many thanks
>>> 
>>> On Wednesday, May 24, 2017, Charlie Dyer <charlierwdyer at ...11827...>
>>> wrote:
>>> 
>>>> 
>>>> Yes I've compiled the src, my question is if you have two .so files
>>>> with
>>>> the same name, one compiled from src and one precompiled, which
>>>> should you
>>>> use?
>>>> As you say the precompiled one will have stuff in that the src
>>>> doesn't,
>>>> but will the src .so files have stuff in the precompiled ones
>>>> don't?
>>>> 
>>>> 
>>>> On Wed, May 24, 2017 at 8:55 PM, Joel Esler (jesler)
>>>> com
>>>> 'jesler at ...589...');>> wrote:
>>>> 
>>>>> 
>>>>> If we provide the src, you can compile them on your own.  The
>>>>> pre-compiled ones are without src, and contain a ton of detection
>>>>> not
>>>>> available anywhere else (zero-days that only we have protection
>>>>> for, etc).
>>>>> 
>>>>> 
>>>>> 
>>>>> *--*
>>>>> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>>>>> 'jesler at ...589...');>
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On May 24, 2017, at 3:06 PM, Charlie Dyer
>>>>> m
>>>>> 'charlierwdyer at ...11827...');>> wrote:
>>>>> 
>>>>> Thanks for your reply, I'll take a look at pulledpork.
>>>>> Can you tell me if the .so files are actually the same and the
>>>>> size
>>>>> difference is just down to compilation differences? Or do the
>>>>> precompiled
>>>>> and src .so files essentially contain different 'stuff'?
>>>>> 
>>>>> 
>>>>> On Wed, May 24, 2017 at 5:29 PM, Joel Esler (jesler)
>>>>> o.com
>>>>> 'jesler at ...589...');>> wrote:
>>>>> 
>>>>>> 
>>>>>> You should use pulledpork to manage your ruleset, it will take
>>>>>> care of
>>>>>> which version you need, according to the operating system you
>>>>>> are using or
>>>>>> the one you specify.
>>>>>> 
>>>>>> *--*
>>>>>> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>>>>>> 'jesler at ...589...');>
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On May 24, 2017, at 9:14 AM, Charlie Dyer
>>>>>> com
>>>>>> 'charlierwdyer at ...11827...');>>
>>>>>> wrote:
>>>>>> 
>>>>>> Hello
>>>>>> 
>>>>>> I've compiled the so_rules from the src folder but see there
>>>>>> are
>>>>>> precompiled so_rules with the same name, but some of them have
>>>>>> vastly
>>>>>> different file sizes.  There are also precompiled .so files
>>>>>> which aren't
>>>>>> in
>>>>>> the src folder once compiled and vice versa.
>>>>>> 
>>>>>> Does anyone know which .so files to use?  For example there is
>>>>>> a
>>>>>> file-flash.so in the precompiled folder and the src folder,
>>>>>> which should
>>>>>> I
>>>>>> use?
>>>>>> 
>>>>>> Many thanks
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org <http://slashdot.org/>!
>>>>>> http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> Snort-users mailing list
>>>>>> Snort-users at lists.sourceforge.net
>>>>>> 'Snort-users at lists.sourceforge.net
>>>>>> ');>
>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>>> Snort-users list archive:
>>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-u
>>>>>> sers
>>>>>> 
>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>> latest
>>>>>> Snort news!
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>> -------------------------------------------------------------------
>>> -----------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>> 
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>> 
>> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list