Re: [Snort-devel] threshold -- is it really deprecated?

[Jason Brvenik <jbrvenik () sourcefire com>]

I'm not opposed to a structured format, just have issues with:

- the need to risk an edit to a non-detection causing an inadvertent
detection modification.

- the risk of a local detection or metadata edit being clobbered by an
update that doesn't affect either directly.

- the need for non-trivial parsing logic

- the need for tools to manage rules at scale.

To sum it up. It needs to be well structured, easily parsed with
existing tools, easily verified, signable, inheritable, overridable,
understandable and usable by humans, editable with a simple text
editor, automatable, encryptable, and facilitate sharing :)

On Jan 23, 2012, at 10:13 PM, Jim Hranicky <jfh () ufl edu> wrote:

> On Mon, 23 Jan 2012 16:55:39 -0500
> Martin Roesch <roesch () sourcefire com> wrote:
>
> > Personally I'd prefer to see the rule structure revisited.  The
> > current melange of selectors, detection and metadata information in a
> > rule that depends on the author for structure is pretty suboptimal
> > (and entirely my fault, lack of foresight you know).
> >
> > Something like
> >
> > rule {
> >    metadata { msg, sid/rev, ... }
> >    selector { flowbits, protocol, ip range, ... }
> >    detect { content, regex, ... }
> >    action { alert, log, block, set flowbit, ... }
> > }
> >
> > would be great.  If we did that and built in a nice macro system then
>
> You could always just use YAML for structure. Who wants to write
> a parser, anyway :-) ?
>
> Personally, I like the idea of having all the rule info in one place.
> So, you know, I only have to look/edit in one place when checking/
> creating a rule :-) . Having to edit X files for one rule would
> just be annoying.
>
> I still see the value in having something like an overrides.conf,
> where you could specify local exceptions:
>
> sourcefire.rules
> ----------------
>
> - sid      : 200202
>  msg      : "Botnet checkin"
>  action   : alert
>  flowbits : "set:SF.botnet"
>  from     : "HOME_NET:any"
>  to       : "EXTERNAL_NET:HTTP_PORTS"
>  content  :
>    - value    : "/foodebar.php?x=3"
>      type     : http_uri
>    - value    : !"Accept-"
>      type     : http_header
>      distance : 0
>
> - sid      : 200203
>  [...]
>
> overrides.conf
> --------------
>
> - sid      : 200202
> # replace to:
>  to       : "EXTERNAL_NET:LOCAL_HTTP_PORTS"
> # Get rid of the flowbits
>  flowbits : DELETE
> # add a threshold
>  thresh   :
>    type       : detection_filter
>    seconds    : 300
>    count      : 20
> # This leaves you with one content match
>  content  :
>    - value    : "/foodebar.php?x=3"
>      type     : http_uri
>
> Or something like that.
>
> If you're using strucured data, you no longer have to rely on
> regexp search and replace to make mods to the rules. A simple
> script could be used to output the final value of the rule(s).
>
> Wrap all this up in libsfparse, link snort and BY2 against it,
> poof, no more sid-msg.map (unless I'm missing something,
> entirely possible).
>
> $0.02 off the top of my head.
>
> --
> Jim Hranicky
> IT Security Engineer
> Office of Information Security and Compliance
> University of Florida

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!