About Shared Object Rules

The following information is also available in the rules tarball under so_rules/SRC/README

Pre-Compile SO Rules: Supported Platforms

The following is the current list of platforms supported by the VRT for pre-compiled so_rules:

  • FreeBSD 8.1 i386
  • FreeBSD 8.1 x86-64
  • OpenBSD 4.8 x86-64
  • OpenBSD 4.8 i386
  • Debian 6.0 i386
  • Debian 6.0 x86-64
  • Fedora Core 12 i386
  • Fedora Core 12 x86-64
  • Fedora Core 14 i386
  • Fedora Core 14 x86-64
  • RHEL 5.5 i386
  • RHEL 5.5 x86-64
  • RHEL 6.0 i386
  • RHEL 6.0 x86-64
  • Ubuntu 10.4 x86-64
  • Ubuntu 10.4 i386
  • Ubuntu 12.4 x86-64
  • Ubuntu 12.4 i386
  • CentOS 5.4 i386
  • CentOS 5.4 x86-64
  • OpenSuSE 11.3 x86-64
  • OpenSuSE 11.3 i386
  • OpenSuSE 11.4 i386
  • OpenSuSE 11.4 x86-64
  • OpenSuSE 12.1 x86-64
  • OpenSuSE 12.1 i386
  • Slackware 13.1 x86-64

If your platform / distribution is not currently listed above this does not mean these shared objects won’t work on your platform. Numerous Linux distributions share common libc versions and it is possible that one of the above distributions and platforms will work on your system. If none of the above binaries work on your platform, please send a note to the snort-sigs mailing list so we can determine the need for additional platforms and distributions to be added to the list of supported platforms.

Use PulledPork!

It is highly recommended that you use PulledPork to download and manage your Shared Object rules. PulledPork not only properly places and uses the Shared Object rules correctly, but it performs many other functions (default Sourcefire policy generation, auto flowbit resolving, etc) as well.

Using VRT Certified Shared Object Rules

In order to instantiate shared object rules, a rule stub file is required. These stub files are not distributed in the VRT Certified rule packs, however they can be generated using snort.

Here is an example showing the pertinent configuration options in snort.conf along with the command line option required to generate the stub files. In some installations, the files may well reside in /etc/, this example uses /usr/local/etc as the location for the configuration files.

In snort.conf First set up some global variables:

var CONF_PATH /usr/local/etc/snort
var LIB_PATH /usr/local/lib
var SORULE_PATH $CONF_PATH/so_rules

Dynamic preprocessor and dynamic engine information:

dynamicpreprocessor directory $LIB_PATH/snort_dynamicpreprocessor
dynamicengine $LIB_PATH/snort_dynamicengine/libsf_engine.so

Here is the configuration option that lists the location of the shared object files that snort is to use:

dynamicdetection directory $LIB_PATH/snort_dynamicrules

Dumping the rules

To dump the rule stub files into the required location the --dump-dynamic-rules option is used like so:

snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/usr/local/etc/snort/so_rules

This command tells snort to use the snort.conf file where it will find the dynamic rule files (thanks to the configuration options above) and then use those files to generate the stub files and put them into /usr/local/etc/snort/so_rules/

After this is complete, the rule files appear in the directory.

# ls /usr/local/etc/snort/so_rules/
bad-traffic.rules  imap.rules        nntp.rules  web-client.rules
chat.rules         misc.rules        p2p.rules   web-misc.rules
dos.rules          multimedia.rules  smtp.rules
exploit.rules      netbios.rules     sql.rules

Using the rules

At the end of the snort.conf file are the locations of the stub files that can now be used:

include $SORULE_PATH/bad-traffic.rules
include $SORULE_PATH/chat.rules
include $SORULE_PATH/dos.rules
include $SORULE_PATH/exploit.rules
include $SORULE_PATH/imap.rules
include $SORULE_PATH/misc.rules
include $SORULE_PATH/multimedia.rules
include $SORULE_PATH/netbios.rules
include $SORULE_PATH/nntp.rules
include $SORULE_PATH/p2p.rules
include $SORULE_PATH/smtp.rules
include $SORULE_PATH/sql.rules
include $SORULE_PATH/web-client.rules
include $SORULE_PATH/web-misc.rules