Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Overlapping rules

From: robe () alfa21 com (Roberto Suarez Soto)
Date: Fri, 4 Jan 2002 19:23:44 +0100

        I don't know if this has already been answered in the FAQ or the
list archives; in that case, just point me somewhere to RTFM :-)

        I would like to know the behaviour of snort when some rules
overlap. The example I'm thinking about is Nimda/CodeRed rules. There
are a few rules that can be applied to a request done by an infected
computer. For example, let's take this request:

        GET /scripts/..\../winnt/system32/cmd.exe?/c+dir HTTP/1.0

        The rules "cmd.exe access" and "..\.. access" can be both
applied to this request. Which of them would be applied? Both? The first
that appears in the rules file?

        I'm asking because I've got this scenery: snort is running in
one computer, logging both to syslog and to libpcap files. I then get
these files and pipe them to a snort installed in another machine, that
puts the results in a database. I use that database to do some weekly
and monthly analyses of the data.

        But the thing is that I also run a snort-stat script daily to
inform me of snort activity, and in some cases, the number of alerts
given by this script and the queries to the database differ. The cases
are mostly the Nimda/CodeRed related rules, and some shellcode ones.
That's why I thought that maybe the behaviour of snort in case of
overlapping rules was not very "deterministic". I hope to be wrong,
anyway :-)

        I'm not sure if this is required, but anyway, before you ask:

        Linux 2.2.19, libc6 2.2.4
        Snort 1.8.3, using Debian package templates for 1.8p1
        Snort command line: 
                snort -D -c /etc/snort/snort.conf -l /var/log/snort \
                        -b -d -u snort -g snort -s -i eth0 -o

        The snort.conf file used is attached. Note that this is the
snort.conf file of the machine that puts the results on the database.
But anyway, besides the "output" configuration, everything else is the
same in the logging machine. Rules are the last from a week ago, I
believe (anyway, the rules file of these overlapping rules has not
changed since months ago).

-- 
Roberto Suarez Soto                                     Alfa21 Outsourcing
    robe () alfa21 com                               http://www.alfa21.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: