Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Shared Object Rules vs. the New Rules Language

from [Jennifer Steffens] Network Security [Permanent Link]
Subject: [Snort-users] Shared Object Rules vs. the New Rules Language
Date: Thu, 18 May 2006 15:57:42 -0400 
Hey everyone,

There seems to be a good deal of confusion over the recent release of
Shared Object (SO) rules and the future of the rules language so I
thought I would try to clear things up a bit.

First off the new SO Rule option is not the new rules language.  SO
Rules are intended to provide researchers with the ability to write more
complex rules for enhanced detection. In addition, we are working on a
new rules language for the Snort 3.0 release that will be developed
independently of the SO rule option. The timeframe for this release is
currently unknown but I can assure the community that details will be
forthcoming as we move forward.

Now to answer a few of the questions we have received lately:

1. Just what is an SO rule?

An SO rule is a loadable Snort module that can quickly extend the
detection capabilities of Snort. We have added an API to the detection
engine so that vulnerability researchers aren't restricted by the finite
number of Snort keywords when writing rules. This also allows the rule
writer to do some very complex things as they now have the full power of
the C language at their disposal.

2. So do I have to learn C to write Snort rules now?

No. SO rules are certainly an option but you are still free to use the
standard Snort rules language. This release simply provides additional
functionality, we have not removed any. We might force you to learn LISP
in the future though.  Just kidding  :-)

3. Why not just use the SPP or detection C templates?

SO rules provide a flexible way to add detection functionality.
Writing preprocessors and detection keywords requires a considerable
amount of research and time as they are multi-functional and are used to
detect pieces of many of vulnerabilities. On the other hand, SO rules
are focused on a specific vulnerability, making them less complex to
write and use.


4. Is the SO API GPL?

Yes the API has been released under the GPL.


5. So should I create an environment for my Snort sensors to compile SO
rules?

While not required we would certainly recommend it. As mentioned before,
these provide users with the ability to write much more complex rules.


I hope this helps to clear up some of the confusion. We will be adding
the above information to the Snort FAQs. If you have any questions, just
let us know.

Cheers,
Jennifer



-- 
Jennifer S. Steffens
Director, Product Management - Snort
Sourcefire - Security for the Real World
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org






-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] Shared Object Rules vs. the New Rules Language, Jennifer Steffens <=
Previous by Date:  Re: [Snort-users] data from multiple sessions in one alert/packet, Joel Esler
Next by Date:  [Snort-users] Alert Suppresion Fail, kritikus Araklidas
Previous by Thread:  [Snort-users] mail, Lomov Pavel
Next by Thread:  [Snort-users] Snort rules, Lomov Pavel
Indexes:  [Date] [Thread] [Top] [All Lists]