Compiling Shared Object Rules

Recall that unlike the general ruleset, Snort shared object rules need to be compiled from source and installed, or installed from precompiled versions provided with the VRT package. To perform this installation, make sure that the dynamicdetection directory declaration has been set correctly in snort.conf, and then use Snort to generate the rules files and put them in the right place. When the command below is executed, Snort retrieves the location of the source files for the shared object rules from snort.conf, and writes the output to the location you specify in the command line.

  1. Switch to the directory where Snort is installed: # cd /usr/local/bin
  2. Run Snort with the “dump dynamic rules” option to install the shared object rules: # snort -c /etc/snort/snort.conf –dump-dynamic-rules=/etc/snort/so_rules
  3. You should see a message at the end of the Snort output on screen that says “Finished dumping dynamic rules.” At this point, you can look in the /etc/snort/so_rules directory and you should see a set of rules files, verifying that they have been installed. Note that these files have the same names as some of the regular rules files in /etc/snort/rules – this is why we installed them in a different directory.

You can now re-edit snort.conf, go to step 9, and un-comment any shared object rules you want to use.