Snort mailing list archives
Re: Problems with the ordering inside the rules
From: "Sergio Talens-Oliag" <stalens () infocentre gva es>
Date: Fri, 7 Nov 2003 08:53:33 +0100
El Thu, Nov 06, 2003 at 07:49:35PM -0000, Adams, Samuel (contractor) escribió:
If I'm interpreting your question correctly, you're asking why you get different results with pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) as opposed to: pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;)
Yes, that's what I was asking.
Is that right? Generally I don't believe the ordering of content modifiers matters. However, in this case you're using the within keyword. That makes the order important. This rule alert tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) translated (roughly) into english - If we see "TOP" and there isn't a return character within 10 bytes - generate an alert This rule alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( sid: 2109; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: !"|0a|"; within: 10; content: "TOP"; nocase; classtype: attempted-admin;) also translated (roughly) into english - If we see something other than a return character and there is a "TOP" string within 10 bytes (and no return characters in between) generate an alert
OK, that's what I was missing, I did not know for sure if the ordering was significant, now I see that it is.
I don't think the change you made will do what you want. You've modified the alert criteria of the signature and end up looking for something different and probably not very exciting. I think you would be better off making your alert rule look like your first pass rule.
Well, that was what we did, the problem is that we were writing the pass rule in the same order as the alert one, but using the 'snorcenter' console; it seems that the ordering of content modifiers is ignored in snortcenter, because the rule we got from its database was the modified one, with the order changed. I'll look at snortcenter code to be sure and inform the author about this bug.
The rule combination that will probably achieve what you are looking for is: pass tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) alert tcp $EXTERNAL_NET any -> $DMZ_NETSCAPE_POP_SERVERS 110 ( sid: 1000010; rev: 1; msg: "POP3 TOP overflow attempt"; flow: to_server,established; content: "TOP"; nocase; content: !"|0a|"; within: 10; classtype: attempted-admin;) Hope this helps.
Yes, it has helped a lot, thanks. Now I know I have to look into snortcenter to fix this problem or manage my sensors with a different tool ... ;) Sergio. -- Sergio Talens-Oliag <stalens () infocentre gva es> Info Centre Key fingerprint = 29DF 544F 1BD9 548C 8F15 86EF 6770 052B B8C1 FA69 ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with the ordering inside the rules Sergio Talens-Oliag (Oct 28)
- Re: Problems with the ordering inside the rules Brian (Nov 06)
- <Possible follow-ups>
- RE: Problems with the ordering inside the rules Adams, Samuel (contractor) (Nov 06)
- Re: Problems with the ordering inside the rules Sergio Talens-Oliag (Nov 07)