Snort mailing list archives

Re: Snort SO Compiler


From: Patrick Mullen <pmullen () sourcefire com>
Date: Tue, 17 Nov 2015 20:58:34 -0600

The SO generator is an entirely different topic and won't help you here.

Patrick
On Nov 17, 2015 6:01 PM, "Rob Weiss" <rob.weiss () g2-inc com> wrote:

We could not seem to get that to work today. No matter what rule we put
in, it told us that the rule was not valid. However, I'd be pleased to look
at the code, if it is open source.

On Tue, Nov 17, 2015 at 3:04 PM, Y M <snort () outlook com> wrote:

Is the Shared Object Rule Generator at
<https://labs.snort.org/cgi-bin/sorules>
<https://labs.snort.org/cgi-bin/sorules.cgi>
<https://labs.snort.org/cgi-bin/sorules.cgi>https://labs.snort.org/cgi-
<https://labs.snort.org/cgi-bin/sorules.cgi>bin/sorules
<https://labs.snort.org/cgi-bin/sorules.cgi>
<https://labs.snort.org/cgi-bin/sorules.cgi>
<https://labs.snort.org/cgi-bin/sorules.cgi>.cgi
<https://labs.snort.org/cgi-bin/sorules.cgi> still a valid option?
_____________________________
From: Patrick Mullen <pmullen () sourcefire com>
Sent: Tuesday, November 17, 2015 10:52 PM
Subject: Re: [Snort-sigs] Snort SO Compiler
To: Rob Weiss <rob.weiss () g2-inc com>
Cc: Snort Sigs <snort-sigs () lists sourceforge net>



Shared Object rules have their own makefile.  Build snort and save the
resultant directory tree.  Update the SO Makefile to point to that
directory and set the proper version and make should work fine.

The build process will automatically dump the stub rules files in the
same directory as your build.  Those are the files to copy to be loaded by
snort somewhere and the shared object files need to be placed in the
directory specified in your snort.conf.

Thanks,

Patrick
We are looking at how to compile the rules into SOs to distribute them to
our snort instances. The docs are hard to follow and it seems like whatever
process that is available is not working for us at the moment.

Is there a concise guide? Does snort, itself, dump the rules into SOs? Or
does it only dump the SOs that were initially loaded into snort?

Hope this is not too confusing.

Thanks,
Rob.

------------------------------------------------------------------------------


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread: