Snort mailing list archives
Re: Dealing with Snort rules and signatures
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 3 Aug 2012 17:40:33 -0400
On Jul 27, 2012, at 7:21 AM, Pratik Narang <pratik.cse.bits () gmail com> wrote:
As and when Snort sees packets, how it deals with them? I read in the manual- "The Pass rules are applied first, then the Drop rules, then the Alert rules and finally, Log rules are applied" and "the event processing is terminated when a pass rule is encountered". So, will all pass rules be *always* applied to a packet?
If the rule matches and the action is pass, then pass action is taken before a drop. So, yes, the packet will be allowed through. <snip>
Snort rules are huge in number. For the sake of higher efficiency, how can I customize Snort to do, say, that 'after you see that such-n-such packet(s) triggers such-n-such rule(s), take <this> action on it/ apply no more rules on it'.
Depends on what you are trying to do, that's a very open question.
How does Snort deal with encrypted packets? How does it deal with packets on SSL, and packets on TCP & TLS?
At Sourcefire, we sell an SSL offloader which decrypts packets and sends them into the IPS (Snort) for analyzation. Snort doesn't have much native SSL handling other than to detect SSL sessions being setup, if they are good or bad, and if they are set up, to ignore the rest of the session from inspection (as it is encrypted)
How does it deal with compressed (zipped) packets? Can signatures be applied to them without loss of efficiency?
It can decompress and inspect the traffic if you use the file_data Snort rule keyword. http://manual.snort.org/node32.html#SECTION004525000000000000000
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Dealing with Snort rules and signatures Pratik Narang (Jul 27)
- Dealing with Snort rules and signatures Pratik Narang (Jul 30)
- Re: Dealing with Snort rules and signatures Joel Esler (Aug 03)