Hi Damiano, I didn't say it was easy, I said it was possible. :)
The reason we have rules in the first place it so that you don't have to write raw C code to detect things and that's a Good Thing as far as most people are concerned. The point I was making is that Snort *can* detect anything you want it to, we've built flexibility and extensibility into it from day one. It may be a little ugly, but the capability is there. That said, I prefer that people use the rule language where possible because it's harder to get yourself in trouble with. Getting formalized rules primitives in place to do some of these things take a while though and rule creation can be a near real-time necessity. That's why things like .so rules exist so users (and Sourcefire) can provide coverage beyond the capabilities of the detection engine and the rules language. Marty On Thu, Mar 19, 2009 at 5:06 AM, Damiano Bolzoni <[email protected]> wrote: > On 19/03/2009 1.49, Martin Roesch wrote: >> >> You guys do know that anything you can't do in the Snort rules >> language natively can be done using .so rules, right? Write your >> rules in C, store data statefully within Snort, manipulate things like >> flowbits that other rules can reference, pretty much anything you care >> to do in C. The only thing you can't do with it is generate >> pseudopackets for other subsystems to analyze. > > Marty, > .so rules offer indeed a high degree of personalization. However, you need > to know what you're doing...it's C code, and we all know what that means. I > would like to see a "neater" way to do that, with something more similar to > "normal" Snort rules. I know there is a price to pay for this: I won't be > able to push the analysis so in depth as with a .so rule. But I believe a > user would prefer the rule to the C code...perhaps I'm wrong :) > > -- > Damiano Bolzoni > > [email protected] > Homepage http://dies.ewi.utwente.nl/~bolzonid/ > PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc > Skype ID: [email protected] > > Distributed and Embedded Security Group - University of Twente > P.O. Box 217 7500AE Enschede, The Netherlands > Phone +31 53 4892477 > Mobile +31 629 008724 > ZILVERLING building, room 3013 > > > -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org
