Snort mailing list archives
Unsubscribe ...
From: Lyndon Tiu <ltiu () alumni sfu ca>
Date: Fri, 26 Nov 2004 07:12:51 -0800
Hello, I am sorry for asking the group how to unsubscribe, for some reason, the attached email from the group did not have anything at the bottom AND I happen to have picked this one when trying to find information on how to unsubscribe .... -- Lyndon Tiu
--- Begin Message --- From: "Jacob, Raymond A Jr" <raymond.jacob () navy mil>
Date: Wed, 24 Nov 2004 17:31:48 -0500
There is a sensor between an edge router the premisis distribution router. Traffic from say 3DMZ's plus the intranet is captured by a snort ids. We would like to separate the alerts based on DMZ Network address of the alert. I had thought I could collect all the alerts in one database and create an acid.php script for each DMZ and create an acid database for DMZ. While I would love the challenge, the mind is strong but the programming skills are weak. An senior administrator suggested that I define a ruletype for each DMZ. Questions: 1. Assuming I have 2000 rules, if I were to implement the following for 3 DMZs I would have a total of 8000 rules. Would this many rules affect a snort ids sensor's performance? I realize that the answer to my question depends on how the rule lists are implemented. If the rules were in a linearly linked list I know the performance would be affected. In a Btree, where the more specific rule lists are tried first then the time to access any rule should be constant and the performance should not be affected? 2. Is the syntax correct in my Example snort.conf and snort rules correct? 3. Is there a better way to create rules that send alerts to a particular database based on the DMZ network address? #Example excerpt of snort.conf ruletype DMZ1_alert { type alert output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort dbname=dmz1 host=localhost } ruletype DMZ2_alert { type alert output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort dbname=dmz3 host=localhost } ruletype DMZ3_alert { type alert output alert_syslog: LOG_AUTH LOG_ALERT output database: log, mysql, user=snort dbname=dmz3 host=localhost } var DMZ1_NET [192.168.1.0/24,10.1.1.0/24] var DMZ1_NET [192.168.2.0/24,10.1.2.0/24] var DMZ1_NET [192.168.3.0/24,10.1.3.0/24] var RULE_PATH /snort/rules var DMZ1 DMZ1_NET var DMZ2 DMZ2_NET var DMZ3 DMZ3_NET include $RULE_PATH/exploit.rules include $RULE_PATH/$DMZ1/exploit.rules include $RULE_PATH/$DMZ2/exploit.rules include $RULE_PATH/$DMZ3/exploit.rules ---------------------------- Example of a few Snort Rules. /snort/rules/exploit.rules alert tcp any any -> any any (msg:"Possible exploit"; content:"|90|"; \ offset:40; depth:75;) /snort/rules/DMZ1_NET/exploit.rules DMZ1_alert tcp any any -> $DMZ1_NET any (msg:"Possible exploit"; content:"|90|"; \ offset:40; depth:75;) /snort/rules/DMZ2_NET/exploit.rules DMZ2_alert tcp any any -> $DMZ2_NET any (msg:"Possible exploit"; content:"|90|"; \ offset:40; depth:75;) /snort/rules/DMZ3_NET/exploit.rules DMZ3_alert tcp any any -> $DMZ3_NET any (msg:"Possible exploit"; content:"|90|"; \ offset:40; depth:75;)
--- End Message ---
Current thread:
- Unsubscribe ... Lyndon Tiu (Nov 27)
- <Possible follow-ups>
- Unsubscribe ... Lyndon Tiu (Nov 27)