Search Site

Search Rules

Account

email
password

not registered?

can't login?

user preferences

5.8 How do you run Snort to recogize SO rules?

Now, you have to tell Snort where to find the newly created SO rule and where to find the shared object module that you created.

The contents of Snort_Dynamic_Rule_Example.rules need to be placed where Snort finds its other rules. You can do this in a couple of ways:

• Take the contents of Snort_Dynamic_Rule_Example.rules and place them in rules/local.rules

• Create a file in the rules directory for all of your SO rules. For instance, you may name this so.rules. Make sure that you include this new rules file name in your snort.conf along with the other rule include statements at the bottom. Copy the Snort_Dynamic_Rule_Example.rules into your rules/so.rules file.

Finally, you will need to tell Snort where to find the shared object module you just created. You can also do this in a number of ways. You can inform Snort of the location a shared object directory where many shared object files reside or you can let Snort know of a specific shared object file. Let's say you put the new p2p.so file in a directory you name /usr/local/lib/snort_dynamicrule.

In the snort.conf you can indicate that your directory is:

   dynamicdetection directory /usr/local/lib/snort_dynamicrule/

Alternatively, in the snort.conf you can indicate that your file is:

   dynamicdetection file /usr/local/lib/snort_dynamicrule/p2p.so

Or, if you don't want to make a permanent change to your snort.conf file, you can supply the shared object location as a command line option to Snort:

   snort -c snort.conf --dynamic-detection-lib-dir=/usr/local/lib/snort_dynamicrule/ 
   --dynamic-engine-lib=/usr/local/lib/snort_dynamicengine/libsf_engine.so

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.