Snort mailing list archives
Re: Clarification on so_rules READ THIS
From: JJC <cummingsj () gmail com>
Date: Wed, 14 Aug 2013 09:36:30 -0600
Banned from list, kthxbye On Fri, Aug 9, 2013 at 10:57 AM, Safwat Fahmy <safwat.fahmy () safemedia com>wrote:
Important Safwat Fahmy www.safemedia.com -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: Friday, August 09, 2013 12:12 PM To: Snort-users Subject: Re: [Snort-users] Clarification on so_rules On 2013-08-09 10:10, Joel Esler wrote:Pulledpork should take are of everything for you. You don't have to do anything except turn them on via the snort.conf And yes, you leave them there. -- Joel EslerOn Aug 9, 2013, at 12:07 PM, James Lay <jlay () slave-tothe-box net> wrote: All, I'm wanting to make sure I have this correct, so here goes. According to so_rules/src/README: To use the shared object rules, the rule stub files must be generated. To do this, follow these instructions: 1. Make sure the dynamic preprocessor and dynamic engine paths are defined in snort.conf, for example: dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so 2. Make sure the path to the location of the shared object rules is also defined in snort.conf, for example: dynamicdetection directory /usr/local/lib/snort_dynamicrule 3. Dump the stub rules by issuing the command: snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/usr/local/etc/snort/so_rules 4. Use a variable to define the path to the stub rules, for example: var SO_RULE_PATH /usr/local/etc/snort/so_rules 5. Include the generated stub rule files in snort.conf in the same way the regular rules are included, for example: include $SO_RULE_PATH/netbios.rules I use pulledpork, so instead, /opt/etc/rules/so_rules/so_rules.rules is created...so far so good. My question is, what happens with the actual .so files? Do I delete them..move them...something else? Thanks for any insight. JamesAwesome..thanks for the quick response Joel. James ---------------------------------------------------------------------------- -- Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Clarification on so_rules READ THIS Safwat Fahmy (Aug 14)
- Re: Clarification on so_rules READ THIS JJC (Aug 14)
- Re: Clarification on so_rules READ THIS JJC (Aug 14)
- Re: Clarification on so_rules READ THIS JJC (Aug 14)