Snort mailing list archives
Re: upgraded some tools (snortplot)
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 29 Oct 2001 22:03:43 -0500
Brian wrote:
According to Angelos Karageorgiou:============= Oct 22 08:48:19 cat snort[1050]: [1:485:1] ICMP Destination Unreachable (Communication Administratively Prohibited) {ICMP} 193.92.130.201 -> 193.92.44.194 Oct 22 09:27:14 cat snort[1050]: [1:499:1] MISC Large ICMP Packet [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP} 205.160.52.52 -> 193.92.44.194 Oct 22 12:46:02 cat snort[1050]: [1:480:1] ICMP PING speedera {ICMP} 63.251.167.2 -> 193.92.44.194 ============= IN the two above lines , both for ICMP traffic, one uses parentheses and one uses square brackets, and the third line has neither parens nor quotes.Actually, the second one prints its priority and classification. The other two are not. If thats coming from the same version of snort, then there is a bug. Marty?
Alert number one you've got an alert that has parenthesis in the msg field. Alert number two has a classification and priority assigned to it (classtype) and a plain msg field. Alert number three has no classtype assigned to it and a plain msg field. Looks pretty straightforward to me. Let's check. Sid 485: no classtype assigned, msg field has parenthetical statement within Sid 499: classtype assigned Sid 480: no classtype assigned
I do not mean to belittle anybody's work here, I am just saying that maybe we need a rule creation metaengine, probably based on M4 or some macro language which will generate the rules.No, its not the problem of the rules. its something else.
Um, everything is working the way it was written to, there are no
problems here except for apparent inconsistency because of the way the
rules were written. Maybe I should add the "[**]" back to the msg field
for syslog output so there's no confusion.
I don't think that running things thru M4 would have helped in this case
particularly, it's perfectly valid to leave out pieces of the rules,
there are only a few things that are *required* to write a valid Snort
rule, which makes life easier for everyone in general.
-Marty
--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- upgraded some tools (snortplot) Angelos Karageorgiou (Oct 25)
- Re: upgraded some tools (snortplot) Martin Roesch (Oct 25)
- Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 25)
- Re: upgraded some tools (snortplot) Brian (Oct 28)
- Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 29)
- Re: upgraded some tools (snortplot) Brian (Oct 29)
- Re: upgraded some tools (snortplot) Martin Roesch (Oct 29)
- Re: upgraded some tools (snortplot) Brian (Oct 29)
- Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 30)
- Re: upgraded some tools (snortplot) Angelos Karageorgiou (Oct 25)
- Re: upgraded some tools (snortplot) Martin Roesch (Oct 25)