Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rules for Snort Inline

From: Jeff Kell <jeff-kell () utc edu>
Date: Mon, 04 Sep 2006 12:47:49 -0400
Risto Vaarandi wrote:

Since testing rules one by one involves a lot of time, I started to look 
for rule collections designed specifically for Snort Inline, and located 
the rulesets at BleedingSnort (http://www.bleedingsnort.com/rules/). My 
question is - are there any similar projects around for creating rules 
for Snort Inline?
I understand that for some rules it is difficult to verify that they 
don't block anything legitimate, yet there could be rules which almost 
never produce false positives. If someone has created a collection of 
such rules, I'd be thankful for the pointers.

There are several "tweaks" available for snort rules that require
altering the original rules (inline, flexresp, snortsam, etc) and still
other keywords that appear in the basic rules themselves (threshold)
that require site-specific tweaking.  There really isn't a "one size
fits all" configuration, especially when several of these keywords are
combined.

The result is that every signature update requires a good deal of
"post-processing" to reapply your custom tweaks.  Oinkmaster can
integrate a lot of this into the update cycle, but not all.

Some of these 'tweaks' can be done outside the rules themselves... e.g.,
threshold.conf can be used in lieu of the threshold: keyword,
sid-block.map can be used in lieu of the fwsam: keyword, etc.  This
helps to separate the 'customized' components from the basic rules, but
they aren't integrated into oinkmaster.

Thresholds would be a good place for variable substitution, but in the
general rules, not used.  Two examples here might be what you consider
to be a "brute force" attack - 'x' attempts in 'y' seconds - but all of
the brute force type signatures have hardcoded values.  Another is the
spyware signatures, they are setup to alert only once every 'x' seconds. 

Then there are 'related' tweaks -- I'd like to change the classification
of every sig I changed to drop, or fwsam, so that they would stand out
in reports.

Currently I don't know of a good toolset (other than oinkmaster) of
managing your local tweaks, but would love to hear of any alternatives.

Jeff


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: