Snort mailing list archives
Re: 3 questions on rules
From: Erek Adams <erek () snort org>
Date: Thu, 15 May 2003 13:44:16 -0400 (EDT)
On Thu, 15 May 2003 Garrett.Allen () ser com wrote:
making haste slowly with snort. getting tons (u.s., not metric) of alerts. so trying to winnow out the chaff. presently have a snort 2.0.0 (build 72) install running on a rh 8 linux distribution, upgraded from snort 1.9.1. 1. looking at the snort signature db i see that for sid 2102, netbios smb smb_com_transaction max data count of 0 dos attempt, the summary section states "this rule has been deprecated due to an inordinately large number of false positives." in the netbios.rules, however, i see still see the rule so either 1. i have the wrong rules or 2. i should remove it as it is deprecated and generating a lot of unneeded alarms. i haven't approached rule writing so is there a good howto available if i need to go this route (or is it as simple as deleting the appropriate lines).
You don't have the wrong rules. That rule is enabled in the default ruleset. Yes, it does say 'deprecated', but I don't know if it should be removed or what. That would be one for our Benevolent Rule Nazi, Brian. :) If it's generating a lot of falsies, then you might just want to comment it out by placing a # infront of alert. If you do that, just be sure to remember that when you update your rules, or else you'll be right back where you started. Rule writing doc? Easy. Right here [0].
2. is there a way to determine the version of rules that are in use. i checked a couple of files and didn't see anything that would indicate a version.
Not for the rules as a whole. There is however a 'Revision' inside of each rule. If you have an older revision, then there's a newer rule. :) BUT, don't just update crazily. Make sure you have the right rules for the right version. As Snort grows and changes, there are changes to the rules language that may not work the same or even be present in different versions of Snort. If you really want to keep tabs on the rules, sign up for the snort-sigs list. That's where all things rule related will be...
3. i checked the snort signature database but did not see an explanation for p2p gnutella get. it has a low severity but again i get tons of them. any help on understanding this would be appreciated.
alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flow:to_server,established; content:"GET "; offset:0; depth:4; classtype:policy-violation; sid:1432; rev:4;) Basically that looks for a 'GET ' in a packet that's not on port 80. The packet must also be headed 'to_server' and be part of an established connection (Three way handshake is completed). The 'GET ' must also be within the first 4 bytes of the packet. Hope that helps! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson [0] http://www.snort.org/docs/writing_rules/ ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 3 questions on rules Garrett . Allen (May 15)
- Re: 3 questions on rules Erek Adams (May 15)
- Re: 3 questions on rules Brian (May 15)
- Re: 3 questions on rules Erek Adams (May 15)
- Re: 3 questions on rules Brian (May 15)
- <Possible follow-ups>
- RE: 3 questions on rules Garrett . Allen (May 15)
- RE: 3 questions on rules Erek Adams (May 15)
- RE: 3 questions on rules Garrett . Allen (May 15)
- Re: 3 questions on rules Erek Adams (May 15)