RE: Rule order--almost works?

["Ron Shuck" <rshuck () Buchanan com>]

Hi,

I found a similar issue. In my testing I found that changing the order
caused some ICMP rules to trigger on the "catch all" or "bad code" rules
instead. I posted this without a response. I am only seeing a problem
with ICMP, and I have not had time to look into it further.

BTW, I posted to the snort-devel list and Marty personally without
response, so if you find anything, let me know. I will do the same.

Best Regards,

Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org
http://www.giac.org


-----Original Message-----
Message: 10
Date: Wed, 21 May 2003 11:28:50 -0400 (EDT)
From: JP Vossen <vossenjp () netaxs com>
To: Snort Users List <snort-users () lists sourceforge net>
Subject: [Snort-users] Rule order--almost works?


About a month ago I posted a question about rule order but I go no
response [0].  I have since *almost* gotten it working.  The improved
rules engine in Snort 2 makes it even harder to figure out which rule is
going to be triggered in a situation where there are similar rules, so I
was stuck for a while. Then I got an idea from Jeff Posluns Policy-Based
IDS material in chapter 12 of the Snort v2 book.  I created custom rule
types and used the config order directive to force the order I wanted.
It *almost* works!

The problem now is that every time one of my "outgoing" rules should
trigger, I get a "catch all" instead.  Yet the "incoming" rules (with
and w/o payload) seem to be working fine.  I'm very confused, can anyone
help?

It's Snort 2.0.0 (Build 72) on Red Hat 8 with RH kernel 2.4.18-27.8.0 on
an unnumbered interface.  The relevant sections of the snort.conf are
below.  The idea here is to capture EVERYTHING in a honeypot
environment, while using descriptive rules so that viewing in ACID makes
a little more sense.  Once this part is working right I'll add the
snort.org rules back in to the mix under the theory that they will match
first and find the really interesting stuff and they anything not
matched by them will fall through to my custom rules.

So, anyone have ny idea why outgoing rules are failing?  Anything else
I'm doing wrong?

TIA,
JP

[0] http://marc.theaimsgroup.com/?l=snort-users&m=105116419718599&w=2


----- Cut here -----

#var HOME_NET 10.1.1.0/24
var HOME_NET 66.xxx.xxx.115/32
#var EXTERNAL_NET any
var EXTERNAL_NET !$HOME_NET

## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771
preprocessor bo preprocessor stream4: detect_scans,
disable_evasion_alerts preprocessor stream4_reassemble #preprocessor
portscan: $HOME_NET 4 3 portscan.log #preprocessor portscan-ignorehosts:
0.0.0.0 #preprocessor conversation: allowed_ip_protocols all, timeout
60, max_conversations 3000 #preprocessor portscan2: scanners_max 256,
targets_max 1024, target_limit 5, port_limit 20, timeout 60 preprocessor
frag2 preprocessor telnet_decode

## Output Modules
## --------------
output database: alert, mysql, dbname=snort host=xxxxxx user=snort
password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes

## Custom Rules
## ------------
#ruletype redalert
#{
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost #}

# Custom rule to allow rule ordering so that rules trigger in the order
needed. ruletype payload {  type alert  output database: alert, mysql,
dbname=snort host=xxxxxx user=snort password=xxxxxxxxxx
sensor_name=Snorter2_JP detail=full ignore_bpf=yes }

# Custom rule to allow rule ordering so that rules trigger in the order
needed. ruletype handshake {  type alert  output database: alert, mysql,
dbname=snort host=xxxxxx user=snort password=xxxxxxxxxx
sensor_name=Snorter2_JP detail=full ignore_bpf=yes }

# Custom rule to allow rule ordering so that rules trigger in the order
needed. ruletype catchall {  type alert  output database: alert, mysql,
dbname=snort host=xxxxxx user=snort password=xxxxxxxxxx
sensor_name=Snorter2_JP detail=full ignore_bpf=yes }

## Command Line Options
## --------------------
config reference_net: 66.xxx.xxx.115/32
config alert_with_interface_name
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method mwm

# Custom rule ordering so that rules trigger in the order needed. config
order: alert log payload handshake catchall

payload icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming
ICMP";
session: printable; sid:1000004;)
payload icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing
ICMP";
session: printable; sid:1000005;)
payload udp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming UDP";
session: printable; sid:1000006;)
payload udp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing UDP";
session: printable; sid:1000007;)
payload tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP
with payload"; dsize:>0; session: printable; sid:1000008;) payload tcp
$HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP with payload";
dsize:>0; session: printable; sid:1000009;)

handshake tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP
no payload"; dsize:0; sid:1000010;) handshake tcp $HOME_NET any ->
$EXTERNAL_NET any (msg:"HPT-Outgoing TCP no payload"; dsize:0;
sid:1000011;)

catchall icmp any any -> any any (msg:"HPT-Catch All ICMP"; session:
printable; sid:1000012;) catchall tcp any any -> any any (msg:"HPT-Catch
All TCP"; session: printable;
sid:1000013;)
catchall udp any any -> any any (msg:"HPT-Catch All UDP"; session:
printable;
sid:1000014;)
catchall ip any any -> any any (msg:"HPT-Catch All IP"; session:
printable;
sid:1000015;)

------------------------------|:::======|-------------------------------
------------------------------|-
JP Vossen, CISSP              |:::======|
jp () jpsdomain org
My Account, My Opinions       |=========|
http://www.jpsdomain.org/
------------------------------|=========|-------------------------------
------------------------------|-
"The software said it requires Windows XP or better, so I installed
Linux..."




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users