Snort mailing list archives
RE: Problems with the ordering inside the rules
From: "Adams, Samuel (contractor)" <AdamsS () eur disa mil>
Date: Thu, 6 Nov 2003 19:49:35 -0000
If I'm interpreting your question correctly, you're asking why you get different results with pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) as opposed to: pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) Is that right? Generally I don't believe the ordering of content modifiers matters. However, in this case you're using the within keyword. That makes the order important. This rule alert tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) translated (roughly) into english - If we see "TOP" and there isn't a return character within 10 bytes - generate an alert This rule alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) also translated (roughly) into english - If we see something other than a return character and there is a "TOP" string within 10 bytes (and no return characters in between) generate an alert I don't think the change you made will do what you want. You've modified the alert criteria of the signature and end up looking for something different and probably not very exciting. I think you would be better off making your alert rule look like your first pass rule. The rule combination that will probably achieve what you are looking for is: pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) alert tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) Hope this helps. Sam -----Original Message----- From: Sergio Talens-Oliag [mailto:stalens () infocentre gva es] Sent: Tuesday, October 28, 2003 10:21 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Problems with the ordering inside the rules Hello everybody, I don't know if this problem has been reported before or if there's something we're doing wrong, so I'll ask here to see if someone can help us understand what is happening. We have snort running on a couple of sensors configured to work from a snortcenter console, the sensors are started using the '-o' option so rules get evaluated in 'pass -> alert -> log' order. When an active rule throws a lot of alerts because it is detecting some legitimate traffic as an attack (and we know that in other cases it is) we copy the affected alert rule and turn it into a pass rule, changing the variable(s) to ignore only the valid cases. Everything has worked fine until last week when we modified twice a 'pass' rule on the snorcenter's console and now it generates the resulting rule changing the order of the 'content' fields. Now, the pass rule is ignored and we are again reciving the alerts from the original rule. The affected rule is: pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) We've changed the order on the sensor's rules file as follows and everything works as expected: pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) So, our question is: Is there a strict ordering needed in the content attributes or not? If it is, there is a bug in snortcenter; if it is not, there is a bug in snort. Thanks in advance, Sergio. -- Sergio Talens-Oliag <stalens () infocentre gva es> Info Centre Key fingerprint = 29DF 544F 1BD9 548C 8F15 86EF 6770 052B B8C1 FA69 ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with the ordering inside the rules Sergio Talens-Oliag (Oct 28)
- Re: Problems with the ordering inside the rules Brian (Nov 06)
- <Possible follow-ups>
- RE: Problems with the ordering inside the rules Adams, Samuel (contractor) (Nov 06)
- Re: Problems with the ordering inside the rules Sergio Talens-Oliag (Nov 07)