Snort mailing list archives

RE: Problems with the ordering inside the rules

From: "Adams, Samuel (contractor)" <AdamsS () eur disa mil>
Date: Thu, 6 Nov 2003 19:49:35 -0000
If I'm interpreting your question correctly, you're asking why you get
different results with

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10;
classtype: attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg:
"POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|";
within: 10; content: "TOP"; nocase; classtype: attempted-admin;)
  
as opposed to:
    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase;
classtype: attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg:
"POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|";
within: 10; content: "TOP"; nocase; classtype: attempted-admin;)

Is that right? Generally I don't believe the ordering of content modifiers
matters. However,
in this case you're using the within keyword. That makes the order
important. 

This rule
alert tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010;
rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established;
content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype:
attempted-admin;)

translated (roughly) into english
- If we see "TOP" and there isn't a return character within 10 bytes -
generate an alert

This rule 
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3
TOP overflow attempt"; flow: to_server,established; content: !"|0a|";
within: 10; content: "TOP"; nocase; classtype: attempted-admin;)

also translated (roughly) into english 
- If we see something other than a return character and there is a "TOP"
string within 10 bytes (and
no return characters in between) generate an alert

I don't think the change you made will do what you want. You've modified the
alert criteria of the signature
and end up looking for something different and probably not very exciting. I
think you
would be better off making your alert rule look like your first pass rule.
The rule
combination that will probably achieve what you are looking for is:

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10;
classtype: attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10;
classtype: attempted-admin;)

Hope this helps.
Sam

-----Original Message-----
From: Sergio Talens-Oliag [mailto:stalens () infocentre gva es]
Sent: Tuesday, October 28, 2003 10:21 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Problems with the ordering inside the rules


  Hello everybody,

  I don't know if this problem has been reported before or if there's
  something we're doing wrong, so I'll ask here to see if someone can
  help us understand what is happening.

  We have snort running on a couple of sensors configured to work from a
  snortcenter console, the sensors are started using the '-o' option so
  rules get evaluated in 'pass -> alert -> log' order. 
  
  When an active rule throws a lot of alerts because it is detecting
  some legitimate traffic as an attack (and we know that in other cases
  it is) we copy the affected alert rule and turn it into a pass rule,
  changing the variable(s) to ignore only the valid cases.

  Everything has worked fine until last week when we modified twice a
  'pass' rule on the snorcenter's console and now it generates the
  resulting rule changing the order of the 'content' fields. Now, the
  pass rule is ignored and we are again reciving the alerts from the
  original rule. 
  
  The affected rule is:

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10;
classtype: attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg:
"POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|";
within: 10; content: "TOP"; nocase; classtype: attempted-admin;)
  
  We've changed the order on the sensor's rules file as follows and
everything
  works as expected:

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase;
classtype: attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg:
"POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|";
within: 10; content: "TOP"; nocase; classtype: attempted-admin;)

  So, our question is:
  
    Is there a strict ordering needed in the content attributes or not?
 
  If it is, there is a bug in snortcenter; if it is not, there is a bug
  in snort.

  Thanks in advance,

    Sergio.
  
-- 
Sergio Talens-Oliag <stalens () infocentre gva es>             Info Centre
Key fingerprint = 29DF 544F  1BD9 548C  8F15 86EF  6770 052B  B8C1 FA69


-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Problems with the ordering inside the rules Sergio Talens-Oliag (Oct 28)
- Re: Problems with the ordering inside the rules Brian (Nov 06)
- <Possible follow-ups>
- RE: Problems with the ordering inside the rules Adams, Samuel (contractor) (Nov 06)
  - Re: Problems with the ordering inside the rules Sergio Talens-Oliag (Nov 07)