Snort mailing list archives
Rule order--almost works?
From: JP Vossen <vossenjp () netaxs com>
Date: Wed, 21 May 2003 11:28:50 -0400 (EDT)
About a month ago I posted a question about rule order but I go no response [0]. I have since *almost* gotten it working. The improved rules engine in Snort 2 makes it even harder to figure out which rule is going to be triggered in a situation where there are similar rules, so I was stuck for a while. Then I got an idea from Jeff Posluns Policy-Based IDS material in chapter 12 of the Snort v2 book. I created custom rule types and used the config order directive to force the order I wanted. It *almost* works! The problem now is that every time one of my "outgoing" rules should trigger, I get a "catch all" instead. Yet the "incoming" rules (with and w/o payload) seem to be working fine. I'm very confused, can anyone help? It's Snort 2.0.0 (Build 72) on Red Hat 8 with RH kernel 2.4.18-27.8.0 on an unnumbered interface. The relevant sections of the snort.conf are below. The idea here is to capture EVERYTHING in a honeypot environment, while using descriptive rules so that viewing in ACID makes a little more sense. Once this part is working right I'll add the snort.org rules back in to the mix under the theory that they will match first and find the really interesting stuff and they anything not matched by them will fall through to my custom rules. So, anyone have ny idea why outgoing rules are failing? Anything else I'm doing wrong? TIA, JP [0] http://marc.theaimsgroup.com/?l=snort-users&m=105116419718599&w=2 ----- Cut here ----- #var HOME_NET 10.1.1.0/24 var HOME_NET 66.xxx.xxx.115/32 #var EXTERNAL_NET any var EXTERNAL_NET !$HOME_NET ## Preprocessor Support ## -------------------- preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble #preprocessor portscan: $HOME_NET 4 3 portscan.log #preprocessor portscan-ignorehosts: 0.0.0.0 #preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 preprocessor frag2 preprocessor telnet_decode ## Output Modules ## -------------- output database: alert, mysql, dbname=snort host=xxxxxx user=snort password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes ## Custom Rules ## ------------ #ruletype redalert #{ # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=snort dbname=snort host=localhost #} # Custom rule to allow rule ordering so that rules trigger in the order needed. ruletype payload { type alert output database: alert, mysql, dbname=snort host=xxxxxx user=snort password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes } # Custom rule to allow rule ordering so that rules trigger in the order needed. ruletype handshake { type alert output database: alert, mysql, dbname=snort host=xxxxxx user=snort password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes } # Custom rule to allow rule ordering so that rules trigger in the order needed. ruletype catchall { type alert output database: alert, mysql, dbname=snort host=xxxxxx user=snort password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes } ## Command Line Options ## -------------------- config reference_net: 66.xxx.xxx.115/32 config alert_with_interface_name config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts config detection: search-method mwm # Custom rule ordering so that rules trigger in the order needed. config order: alert log payload handshake catchall payload icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming ICMP"; session: printable; sid:1000004;) payload icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing ICMP"; session: printable; sid:1000005;) payload udp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming UDP"; session: printable; sid:1000006;) payload udp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing UDP"; session: printable; sid:1000007;) payload tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP with payload"; dsize:>0; session: printable; sid:1000008;) payload tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP with payload"; dsize:>0; session: printable; sid:1000009;) handshake tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP no payload"; dsize:0; sid:1000010;) handshake tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP no payload"; dsize:0; sid:1000011;) catchall icmp any any -> any any (msg:"HPT-Catch All ICMP"; session: printable; sid:1000012;) catchall tcp any any -> any any (msg:"HPT-Catch All TCP"; session: printable; sid:1000013;) catchall udp any any -> any any (msg:"HPT-Catch All UDP"; session: printable; sid:1000014;) catchall ip any any -> any any (msg:"HPT-Catch All IP"; session: printable; sid:1000015;) ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp () jpsdomain org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows XP or better, so I installed Linux..." ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule order--almost works? JP Vossen (May 21)
- <Possible follow-ups>
- RE: Rule order--almost works? Ron Shuck (May 21)