Rule order--almost works?

[JP Vossen <vossenjp () netaxs com>]

About a month ago I posted a question about rule order but I go no response
[0].  I have since *almost* gotten it working.  The improved rules engine in
Snort 2 makes it even harder to figure out which rule is going to be triggered
in a situation where there are similar rules, so I was stuck for a while.
Then I got an idea from Jeff Posluns Policy-Based IDS material in chapter 12
of the Snort v2 book.  I created custom rule types and used the config order
directive to force the order I wanted.  It *almost* works!

The problem now is that every time one of my "outgoing" rules should trigger,
I get a "catch all" instead.  Yet the "incoming" rules (with and w/o payload)
seem to be working fine.  I'm very confused, can anyone help?

It's Snort 2.0.0 (Build 72) on Red Hat 8 with RH kernel 2.4.18-27.8.0 on an
unnumbered interface.  The relevant sections of the snort.conf are below.  The
idea here is to capture EVERYTHING in a honeypot environment, while using
descriptive rules so that viewing in ACID makes a little more sense.  Once
this part is working right I'll add the snort.org rules back in to the mix
under the theory that they will match first and find the really interesting
stuff and they anything not matched by them will fall through to my custom
rules.

So, anyone have ny idea why outgoing rules are failing?  Anything else I'm
doing wrong?

TIA,
JP

[0] http://marc.theaimsgroup.com/?l=snort-users&m=105116419718599&w=2


----- Cut here -----

#var HOME_NET 10.1.1.0/24
var HOME_NET 66.xxx.xxx.115/32
#var EXTERNAL_NET any
var EXTERNAL_NET !$HOME_NET

## Preprocessor Support
## --------------------
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor bo
preprocessor stream4: detect_scans, disable_evasion_alerts
preprocessor stream4_reassemble
#preprocessor portscan: $HOME_NET 4 3 portscan.log
#preprocessor portscan-ignorehosts: 0.0.0.0
#preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 3000
#preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5,
port_limit 20, timeout 60
preprocessor frag2
preprocessor telnet_decode

## Output Modules
## --------------
output database: alert, mysql, dbname=snort host=xxxxxx user=snort
password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes

## Custom Rules
## ------------
#ruletype redalert
#{
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
#}

# Custom rule to allow rule ordering so that rules trigger in the order
needed.
ruletype payload
{
 type alert
 output database: alert, mysql, dbname=snort host=xxxxxx user=snort
password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes
}

# Custom rule to allow rule ordering so that rules trigger in the order
needed.
ruletype handshake
{
 type alert
 output database: alert, mysql, dbname=snort host=xxxxxx user=snort
password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes
}

# Custom rule to allow rule ordering so that rules trigger in the order
needed.
ruletype catchall
{
 type alert
 output database: alert, mysql, dbname=snort host=xxxxxx user=snort
password=xxxxxxxxxx sensor_name=Snorter2_JP detail=full ignore_bpf=yes
}

## Command Line Options
## --------------------
config reference_net: 66.xxx.xxx.115/32
config alert_with_interface_name
config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
config detection: search-method mwm

# Custom rule ordering so that rules trigger in the order needed.
config order: alert log payload handshake catchall

payload icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming ICMP";
session: printable; sid:1000004;)
payload icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing ICMP";
session: printable; sid:1000005;)
payload udp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming UDP";
session: printable; sid:1000006;)
payload udp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing UDP";
session: printable; sid:1000007;)
payload tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP with
payload"; dsize:>0; session: printable; sid:1000008;)
payload tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP with
payload"; dsize:>0; session: printable; sid:1000009;)

handshake tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP no
payload"; dsize:0; sid:1000010;)
handshake tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP no
payload"; dsize:0; sid:1000011;)

catchall icmp any any -> any any (msg:"HPT-Catch All ICMP"; session:
printable; sid:1000012;)
catchall tcp any any -> any any (msg:"HPT-Catch All TCP"; session: printable;
sid:1000013;)
catchall udp any any -> any any (msg:"HPT-Catch All UDP"; session: printable;
sid:1000014;)
catchall ip any any -> any any (msg:"HPT-Catch All IP"; session: printable;
sid:1000015;)

------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users