Hi Damiano,

I didn't say it was easy, I said it was possible. :)

The reason we have rules in the first place it so that you don't have
to write raw C code to detect things and that's a Good Thing as far as
most people are concerned. The point I was making is that Snort *can*
detect anything you want it to, we've built flexibility and
extensibility into it from day one. It may be a little ugly, but the
capability is there.

That said, I prefer that people use the rule language where possible
because it's harder to get yourself in trouble with. Getting
formalized rules primitives in place to do some of these things take a
while though and rule creation can be a near real-time necessity.
That's why things like .so rules exist so users (and Sourcefire) can
provide coverage beyond the capabilities of the detection engine and
the rules language.

Marty

On Thu, Mar 19, 2009 at 5:06 AM, Damiano Bolzoni
<damiano.bolzoni (at) utwente (dot) nl [email concealed]> wrote:
> On 19/03/2009 1.49, Martin Roesch wrote:
>>
>> You guys do know that anything you can't do in the Snort rules
>> language natively can be done using .so rules, right?  Write your
>> rules in C, store data statefully within Snort, manipulate things like
>> flowbits that other rules can reference, pretty much anything you care
>> to do in C.  The only thing you can't do with it is generate
>> pseudopackets for other subsystems to analyze.
>
> Marty,
> .so rules offer indeed a high degree of personalization. However, you need
> to know what you're doing...it's C code, and we all know what that means. I
> would like to see a "neater" way to do that, with something more similar to
> "normal" Snort rules. I know there is a price to pay for this: I won't be
> able to push the analysis so in depth as with a .so rule. But I believe a
> user would prefer the rule to the C code...perhaps I'm wrong :)
>
> --
> Damiano Bolzoni
>
> damiano.bolzoni (at) utwente (dot) nl [email concealed]
> Homepage http://dies.ewi.utwente.nl/~bolzonid/
> PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc
> Skype ID: damiano.bolzoni (at) utwente (dot) nl [email concealed]
>
> Distributed and Embedded Security Group - University of Twente
> P.O. Box 217 7500AE Enschede, The Netherlands
> Phone +31 53 4892477
> Mobile +31 629 008724
> ZILVERLING building, room 3013
>
>
>

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

[ reply ]