Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules: flags burp using 2.0.2?

From: JP Vossen <vossenjp () netaxs com>
Date: Tue, 23 Sep 2003 01:53:20 -0400 (EDT)
Date: Mon, 22 Sep 2003 11:16:52 -0700
From: John Sage <jsage () finchhaven com>
To: Matt Kettler <mkettler () evi-inc com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Rules: flags burp using 2.0.2?

On Mon, Sep 22, 2003 at 11:36:36AM -0400, Matt Kettler wrote:


At 08:31 PM 9/21/2003, John Sage wrote:

Rather than picking up these, it drops through to the generic TCP:135
rule I've got, which confuses what I'm trying to do...

Wha' happen' between 1.9.1 and here, flags-wise?


That sounds more like a rule-ordering difference than anything else. Snort
does not necessarily process rules in the same order that they appear in
your rule files, although that is somewhat of a factor.


I have been struggling with the same issue since 1.9.1.  It definitely CHANGED
in 2.0 but just how I can't say.  This is also a pretty low priority for me,
so I've not spent much time on it.

However, I did have some limited success as follows.  I created various custom
rule TYPES, with the same definition but different names.  I then used the
'config order' directive to force rule order.  This *almost* works--there are
still some Weird Things that I have not tracked down yet.  YMMV.

<snort.conf stuff>
# Custom rule to allow rule ordering so that rules trigger in the order needed.
ruletype payload
{
 type alert
 output database: alert, mysql, dbname=snort ... ignore_bpf=yes
}
#
# Custom rule to allow rule ordering so that rules trigger in the order needed.
ruletype handshake
{
 type alert
 output database: alert, mysql, dbname=snort ... ignore_bpf=yes
}

[...]

# Custom rule ordering so that rules trigger in the order needed.
config order: alert log payload handshake catchall

<snort.conf stuff>

That config is OK for me because I have few "sets" of rules to order (it's a
honeypot-kind-of-thing), but is not real scalable.  It also doesn't quite work
100% but I don't remember how it's broken nor have I played since soon after
2.0.1 came out.  I have NOT had time to test 2.0.2.  It *almost, but not
quite, worked for 2.0.0 and 2.0.1.  I did not try this with 1.9.1.

HTH,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
You used to have to reboot the Windows 9.x series every couple of days
because it would crash.  Now you have to reboot Windows 200x or XP every
couple of days because of a patch.  How is that better or more stable?



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: