snort-users September 2010 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Rule performance profiling questi

Re: [Snort-users] Rule performance profiling question

From: Joel Esler <jesler_at_nospam>
Date: Thu Sep 16 2010 - 15:46:20 GMT
To: wkitty42@windstream.net

There are many reasons that SO rules are made.

ONE of which is that Sourcefire has agreements with organizations that
obfuscation of the detection method for those rules is necessary.

SO rules are also "C". This allows a lot more complex detection than is
available in the plaintext Snort language.

For example, if we have to take two dynamically calculated numbers from two
different parsed file formats and compare them to each other.

Joel

On Thu, Sep 16, 2010 at 11:24 AM, waldo kitty <wkitty42@windstream.net>wrote:

> On 9/16/2010 09:07, Andy Berryman wrote:
> > Joel wrote that they “both are SO rules.”
> >
> > What does that have to do with it? Does it make a difference that they
> are so
> > rules?
>
> yes... because they are GID:3 while the normal text rules in the *.rules
> files
> are GID:1... GID:3 are binary and if one is not using them, one cannot
> locate
> their SID ;)
>
> with GID:3 being binary, there is also the problem of them having to be
> distributed in pre-compiled format... that means that they must be
> compatible
> with one's kernel and environment... if there are no pre-compiled rules
> that fit
> one's kernel and environment, then one cannot use GID:3 rules at all...
> well,
> not unless their source is available and can be compiled for one's
> environment... however, making the source for GID:3 rules available negates
> the
> reason for their existence in the first place... that reason is to prevent
> folk
> from seeing what is being detected and how so that they cannot work to
> avoid the
> detection...
>
> IIUC, GID:3 rules detect traffic problems that have not yet been made
> public...
>
>
> ------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users