Snort mailing list archives
Dangerous to use custom ruletypes?
From: Martin Olsson <elof () sentor se>
Date: Wed, 14 May 2003 18:54:25 +0200 (CEST)
Is it dangerous to use custom ruletypes? I just discovered that when you define your own ruletypes, they are put LAST in the chain of rules. Here is an example of the output when I run snort with the -o option (pass rules first): Rule application order: ->pass->activation->dynamic->alert->log->panic I have created a ruletype named "panic" where I have put all my critical rules. As you can see, "panic" is placed at the end of the rule-chain. Does this mean that if I have some more generic alert-rule that matches the packet, it won't make it to the panic-rule? Right now I'm using the latest snort-rules as well as my own panic-rules. What worries me is that some of the snort-rules, say rule #1113, might trigger on the simple pattern "../", while my panic-rule would have triggered on the same packet. Instead of getting my own alert-message with detailed information I just get a "WEB-MISC http directory traversal". Say it isn't so! (run on snort 1.9.1 on FreeBSD 4.7) Martin Olsson Sentor AB, Sweden ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dangerous to use custom ruletypes? Martin Olsson (May 14)
- Re: Dangerous to use custom ruletypes? Erek Adams (May 14)
- Re: Dangerous to use custom ruletypes? Martin Olsson (May 14)
- <Possible follow-ups>
- Re: Dangerous to use custom ruletypes? Neil Dickey (May 14)
- Re: Dangerous to use custom ruletypes? Erek Adams (May 14)