Snort mailing list archives
Re: [Snort-devel] threshold -- is it really deprecated?
From: Jason Brvenik <jbrvenik () sourcefire com>
Date: Mon, 23 Jan 2012 23:42:28 -0500
I'm not opposed to a structured format, just have issues with: - the need to risk an edit to a non-detection causing an inadvertent detection modification. - the risk of a local detection or metadata edit being clobbered by an update that doesn't affect either directly. - the need for non-trivial parsing logic - the need for tools to manage rules at scale. To sum it up. It needs to be well structured, easily parsed with existing tools, easily verified, signable, inheritable, overridable, understandable and usable by humans, editable with a simple text editor, automatable, encryptable, and facilitate sharing :) On Jan 23, 2012, at 10:13 PM, Jim Hranicky <jfh () ufl edu> wrote:
On Mon, 23 Jan 2012 16:55:39 -0500 Martin Roesch <roesch () sourcefire com> wrote:Personally I'd prefer to see the rule structure revisited. The current melange of selectors, detection and metadata information in a rule that depends on the author for structure is pretty suboptimal (and entirely my fault, lack of foresight you know). Something like rule { metadata { msg, sid/rev, ... } selector { flowbits, protocol, ip range, ... } detect { content, regex, ... } action { alert, log, block, set flowbit, ... } } would be great. If we did that and built in a nice macro system thenYou could always just use YAML for structure. Who wants to write a parser, anyway :-) ? Personally, I like the idea of having all the rule info in one place. So, you know, I only have to look/edit in one place when checking/ creating a rule :-) . Having to edit X files for one rule would just be annoying. I still see the value in having something like an overrides.conf, where you could specify local exceptions: sourcefire.rules ---------------- - sid : 200202 msg : "Botnet checkin" action : alert flowbits : "set:SF.botnet" from : "HOME_NET:any" to : "EXTERNAL_NET:HTTP_PORTS" content : - value : "/foodebar.php?x=3" type : http_uri - value : !"Accept-" type : http_header distance : 0 - sid : 200203 [...] overrides.conf -------------- - sid : 200202 # replace to: to : "EXTERNAL_NET:LOCAL_HTTP_PORTS" # Get rid of the flowbits flowbits : DELETE # add a threshold thresh : type : detection_filter seconds : 300 count : 20 # This leaves you with one content match content : - value : "/foodebar.php?x=3" type : http_uri Or something like that. If you're using strucured data, you no longer have to rely on regexp search and replace to make mods to the rules. A simple script could be used to output the final value of the rule(s). Wrap all this up in libsfparse, link snort and BY2 against it, poof, no more sid-msg.map (unless I'm missing something, entirely possible). $0.02 off the top of my head. -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: threshold -- is it really deprecated?, (continued)
- Re: threshold -- is it really deprecated? Patrick Mullen (Jan 21)
- Re: [Snort-users] threshold -- is it really deprecated? Eoin Miller (Jan 22)
- Re: [Snort-users] threshold -- is it really deprecated? elof (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? beenph (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Joel Esler (Jan 24)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 24)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? waldo kitty (Jan 25)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Feb 04)