Snort mailing list archives

Re: Problems with the ordering inside the rules

From: "Sergio Talens-Oliag" <stalens () infocentre gva es>
Date: Fri, 7 Nov 2003 08:53:33 +0100

El Thu, Nov 06, 2003 at 07:49:35PM -0000, Adams, Samuel (contractor) escribió:

If I'm interpreting your question correctly, you're asking why you get
different results with

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10;
classtype: attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg:
"POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|";
within: 10; content: "TOP"; nocase; classtype: attempted-admin;)
  
as opposed to:
    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase;
classtype: attempted-admin;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg:
"POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|";
within: 10; content: "TOP"; nocase; classtype: attempted-admin;)


  Yes, that's what I was asking.

Is that right? Generally I don't believe the ordering of content
modifiers matters. However, in this case you're using the within
keyword. That makes the order important. 

This rule alert tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110
( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
to_server,established; content: "TOP"; nocase; content: !"|0a|";
within: 10; classtype: attempted-admin;)

translated (roughly) into english - If we see "TOP" and there isn't a
return character within 10 bytes - generate an alert

This rule alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109;
rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established;
content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype:
attempted-admin;)

also translated (roughly) into english - If we see something other
than a return character and there is a "TOP" string within 10 bytes
(and no return characters in between) generate an alert


  OK, that's what I was missing, I did not know for sure if the ordering
  was significant, now I see that it is.

I don't think the change you made will do what you want. You've
modified the alert criteria of the signature and end up looking for
something different and probably not very exciting. I think you would
be better off making your alert rule look like your first pass rule.


  Well, that was what we did, the problem is that we were writing the
  pass rule in the same order as the alert one, but using the
  'snorcenter' console; it seems that the ordering of content modifiers
  is ignored in snortcenter, because the rule we got from its database
  was the modified one, with the order changed.
  
  I'll look at snortcenter code to be sure and inform the author about
  this bug.

The rule combination that will probably achieve what you are looking
for is:

    pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid:
    1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow:
    to_server,established; content: "TOP"; nocase; content: !"|0a|";
    within: 10; classtype: attempted-admin;) alert tcp $EXTERNAL_NET
    any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg:
    "POP3 TOP overflow attempt"; flow: to_server,established; content:
    "TOP"; nocase; content: !"|0a|"; within: 10; classtype:
    attempted-admin;)

Hope this helps.


  Yes, it has helped a lot, thanks. Now I know I have to look into
  snortcenter to fix this problem or manage my sensors with a different
  tool ... ;)

  Sergio.

-- 
Sergio Talens-Oliag <stalens () infocentre gva es>             Info Centre
Key fingerprint = 29DF 544F  1BD9 548C  8F15 86EF  6770 052B  B8C1 FA69


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problems with the ordering inside the rules Sergio Talens-Oliag (Oct 28)
- Re: Problems with the ordering inside the rules Brian (Nov 06)
- <Possible follow-ups>
- RE: Problems with the ordering inside the rules Adams, Samuel (contractor) (Nov 06)
  - Re: Problems with the ordering inside the rules Sergio Talens-Oliag (Nov 07)