OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Snort-users] SO Rules: More complex rule writing

From: Ryan Jordan (ryan.jordansourcefire.com)
Date: Tue Mar 24 2009 - 12:36:14 CDT


SO rules are written using the C programming language. We give you the means
to write your own function that gets called whenever your rule is checked.
Ultimately, you would still do some computation and report "Match" or "No
Match", but you can get really creative. We also give you functions to
access the detection plugins, so you can check/set flowbits, use PCRE, etc.

I would highly suggest only writing SO rules if you cannot accomplish your
goals with normal Snort rules. For a silly example, if you wanted to alert
when the payload is a palindrome, it would be much simpler to write a
palindrome-checking C function and put it in an SO rule.

For more information about the API, check out the "Dynamic Modules" section
of the Snort manual:
http://www.snort.org/docs/snort_htmanuals/htmanual_2832/node403.html

For a couple example rules, download the Snort source code and look in
"src/dynamic-examples/dynamic-rule/".

If you hit any snags after reading up on this stuff, I'll be here.

--Ryan

On Tue, Mar 24, 2009 at 12:33 PM, Mnemonyss <mnemonyssgmail.com> wrote:

> I just wanted to get a little more information on what exactly the SO
> format of the rules in 2.6 and later will do exactly.
> I keep reading that one can write more complex rules using it.
>
> Does this mean I can write a rule that instead of just looking for a
> keyword and alerting, it can do more?
>
> To keep it simple something like :
> For all traffic encountered matching A but not C and D and F then alert?
>
> I'm still trying to find more documentation on this and having a hard
> time. Please point me in the right direction.
>
> Thank you,
>
> Alicia
>
>
> ------------------------------------------------------------------------------
> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
> easily build your RIAs with Flex Builder, the Eclipse(TM)based development
> software that enables intelligent coding and step-through debugging.
> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users