Snort mailing list archives
Re: Difference between Dynamic library rules vs regular rules in snort.conf?
From: Alan Ptak <alan.ptak () gmail com>
Date: Thu, 22 Jul 2010 11:55:16 -0700
Jason, To the best of my knowledge there is no deliberate overlap between Snort text rules, SO rules, and preprocessor rules. Some rules might appear to be similar but in general will differ in effectiveness, efficiency, etc. In general, each rule addresses a specific detection problem, regardless of type. The type of rule used depends on the nature of the detection problem, and the assessment of the analyst on what method would be most effective or appropriate. To the OP's question, run both text and SO rules for complete coverage. HTH .. Alan On Thu, Jul 22, 2010 at 10:18 AM, Jason Wallace <jason.r.wallace () gmail com>wrote:
While both gid:1 and gid:3 rules are needed, there is some overlap with gid:1,gid:3, and preprocessor rules though, right? It would be nice to have those overlaps identified somewhere. Wally On Thu, Jul 22, 2010 at 12:28 PM, Joel Esler <jesler () sourcefire com> wrote:you DO have to run them both. That's correct. On Jul 22, 2010, at 12:10 PM, Jefferson, Shawn wrote: I was told, in a SourceFire training course (Snort Rule Writing Best Practices, which I highly recommend!) by the instructor that all thestuffin the so_rules was also in the text rules and that you didn’t need torunthe so_rules. My understanding (from asking on this list), and I broughtitup in the class, is that you DO have to run both rulesets to havecompleteprotection, since some vulnerabilities/rules are not made public by VRT/SourceFire due to agreements with vendors, and those rules are ONLYinthe so_rules. So, IMO, it’s important to run both rulesets. Although, I understand the reasoning behind the so_rule format, it’s annoying that you can’t seeintothe rule. I find myself doing that a lot when I see an alert to try to understand why it fired… The [rule] link in BASE is great for this, butforso_rules it doesn’t tell you much. ________________________________ From: Chan, Wilson [mailto:wchan () honolulu gov] Sent: Wednesday, July 21, 2010 5:08 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Difference between Dynamic library rules vsregularrules in snort.conf? What’s the difference from the regular rules vs the so_rules? Can youenableboth? Thanks! include RULE_PATH/bad-traffic.rules include RULE_PATH/chat.rules include RULE_PATH/dos.rules include RULE_PATH/exploit.rules include RULE_PATH/imap.rules include RULE_PATH/misc.rules include RULE_PATH/multimedia.rules include RULE_PATH/netbios.rules include RULE_PATH/nntp.rules include RULE_PATH/p2p.rules include RULE_PATH/smtp.rules include RULE_PATH/sql.rules include RULE_PATH/web-activex.rules include RULE_PATH/web-client.rules include RULE_PATH/web-misc.rules # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/sql.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-misc.rules Wilson Chan------------------------------------------------------------------------------This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first --http://p.sf.net/sfu/sprint-com-first_______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Alan Ptak alan.ptak () gmail com
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Difference between Dynamic library rules vs regular rules in snort.conf? Chan, Wilson (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 21)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jefferson, Shawn (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Crook, Parker (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Alan Ptak (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Jason Wallace (Jul 22)
- Re: Difference between Dynamic library rules vs regular rules in snort.conf? Joel Esler (Jul 22)