On 19/03/2009 1.49, Martin Roesch wrote:
You guys do know that anything you can't do in the Snort rules
language natively can be done using .so rules, right? Write your
rules in C, store data statefully within Snort, manipulate things like
flowbits that other rules can reference, pretty much anything you care
to do in C. The only thing you can't do with it is generate
pseudopackets for other subsystems to analyze.
Marty,
.so rules offer indeed a high degree of personalization. However, you
need to know what you're doing...it's C code, and we all know what that
means. I would like to see a "neater" way to do that, with something
more similar to "normal" Snort rules. I know there is a price to pay for
this: I won't be able to push the analysis so in depth as with a .so
rule. But I believe a user would prefer the rule to the C code...perhaps
I'm wrong :)
--
Damiano Bolzoni
[email protected]
Homepage http://dies.ewi.utwente.nl/~bolzonid/
PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc
Skype ID: [email protected]
Distributed and Embedded Security Group - University of Twente
P.O. Box 217 7500AE Enschede, The Netherlands
Phone +31 53 4892477
Mobile +31 629 008724
ZILVERLING building, room 3013
