Snort mailing list archives
RE: Rules ordering question.
From: "Williams Jon" <WilliamsJon () JohnDeere com>
Date: Wed, 1 May 2002 08:56:46 -0500
[This information is to the best of my recollection. If someone more authoritative disagrees, they're probably right :-)] The answer is "It Depends!" :-) Snort builds its internal rule order based on three things, the action, the chain headers and the chain options. Let's break it down a bit. Take the rules: alert tcp 1.1.1.1 80 -> 2.2.2.2 90 (msg: "Test message 1";) alert tcp 2.2.2.2 90 -> 1.1.1.1 80 (msg: "Test message 2";) log tcp 3.3.3.3 80 -> 4.4.4.4 80 (flags: A+; content: "X";) alert tcp 1.1.1.1 80 -> 2.2.2.2 90 (flags: A+;) |---| |--------------------------| |------------------------| action chain header chain options When snort reads in this whole list, it first orders by the action (whether alert->pass->log or pass->alert->log if the -o flag is specified on the command line). Next, it takes the chain headers and builds a tree, based on the order read in from the configuration files. In this particular case, the tree would look like: alert tcp 1.1.1.1 80 -> 2.2.2.2 90 msg: "Test message 1"; flags: A+; alert tcp 2.2.2.2 90 -> 1.1.1.1 80 msg: "Test message 2"; log tcp 3.3.3.3 80 -> 4.4.4.4 80 flags: A+; content: "X"; So far so good, right? This is where it starts getting tough. When you get into the snort.org ruleset, you get over 1000 rules, so now you've got to contend with not just the two rules you've got listed but also any other rules that have the chain header of "alert tcp $EXTERNAL_NET any -> $HOME_NET 80". Realistically, in order to know which, if any, of these two rules would fire, you'd have to build your tree, find the chain header, and read through the option nodes to see which shows up first. Also, you'd need to watch the rules above it in the path to make sure that there isn't a more generic rule that would take precedence. For example, if you had as your first rule in your conf file, a rule that read: alert any any -> any any (msg: "Just checking to see if snort works";) Neither of your other rules would ever fire. Incidentally, after hearing Marty talk about how the rule tree is built, I attempted to build a perl script to do this. If there's interest, I'll post what I've got for review. Its been useful to me in visualizing what will happen with my traffic, as well as understanding how rule ordering affects performance. Jon -----Original Message----- From: larosa, vjay [mailto:larosa_vjay () emc com] Sent: Tuesday, April 30, 2002 10:21 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] Rules ordering question. Hello, Question about rule ordering and placement. If I have two rules in two different rules files, This alert is in web-iis.rules. alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Test Event 1"; flags:A+; content:"Test Message 1"; nocase; depth: 5; classtype:misc-activity; rev:1;) This alert is in local.rules. alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Test Event 2"; flags:A+; content:"Test Message"; nocase; depth: 5; classtype:misc-activity; rev:1;) The string is very similiar, but the local.rules entry is missing the number "1" at the end of the string. What rule would fire first? How would snort determine the order in the chain for two very similiar rules? NOTE: This question is specifically about similiar rules in DIFFERENT rules files. I don't want to just put the local.rules entry in to the web-iis.rules file above Test Event 1 rule. Thanks! vjl
Current thread:
- Rules ordering question. larosa, vjay (Apr 30)
- <Possible follow-ups>
- RE: Rules ordering question. Williams Jon (May 01)
- RE: Rules ordering question. Williams Jon (May 02)