Snort mailing list archives
Overlapping rules
From: robe () alfa21 com (Roberto Suarez Soto)
Date: Fri, 4 Jan 2002 19:23:44 +0100
I don't know if this has already been answered in the FAQ or the list archives; in that case, just point me somewhere to RTFM :-) I would like to know the behaviour of snort when some rules overlap. The example I'm thinking about is Nimda/CodeRed rules. There are a few rules that can be applied to a request done by an infected computer. For example, let's take this request: GET /scripts/..\../winnt/system32/cmd.exe?/c+dir HTTP/1.0 The rules "cmd.exe access" and "..\.. access" can be both applied to this request. Which of them would be applied? Both? The first that appears in the rules file? I'm asking because I've got this scenery: snort is running in one computer, logging both to syslog and to libpcap files. I then get these files and pipe them to a snort installed in another machine, that puts the results in a database. I use that database to do some weekly and monthly analyses of the data. But the thing is that I also run a snort-stat script daily to inform me of snort activity, and in some cases, the number of alerts given by this script and the queries to the database differ. The cases are mostly the Nimda/CodeRed related rules, and some shellcode ones. That's why I thought that maybe the behaviour of snort in case of overlapping rules was not very "deterministic". I hope to be wrong, anyway :-) I'm not sure if this is required, but anyway, before you ask: Linux 2.2.19, libc6 2.2.4 Snort 1.8.3, using Debian package templates for 1.8p1 Snort command line: snort -D -c /etc/snort/snort.conf -l /var/log/snort \ -b -d -u snort -g snort -s -i eth0 -o The snort.conf file used is attached. Note that this is the snort.conf file of the machine that puts the results on the database. But anyway, besides the "output" configuration, everything else is the same in the logging machine. Rules are the last from a week ago, I believe (anyway, the rules file of these overlapping rules has not changed since months ago). -- Roberto Suarez Soto Alfa21 Outsourcing robe () alfa21 com http://www.alfa21.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Overlapping rules Roberto Suarez Soto (Jan 04)
- Re: Overlapping rules Roberto Suarez Soto (Jan 04)