Snort mailing list archives
Re: rules for Snort Inline
From: Jeff Kell <jeff-kell () utc edu>
Date: Mon, 04 Sep 2006 12:47:49 -0400
Risto Vaarandi wrote:
Since testing rules one by one involves a lot of time, I started to look for rule collections designed specifically for Snort Inline, and located the rulesets at BleedingSnort (http://www.bleedingsnort.com/rules/). My question is - are there any similar projects around for creating rules for Snort Inline? I understand that for some rules it is difficult to verify that they don't block anything legitimate, yet there could be rules which almost never produce false positives. If someone has created a collection of such rules, I'd be thankful for the pointers.
There are several "tweaks" available for snort rules that require altering the original rules (inline, flexresp, snortsam, etc) and still other keywords that appear in the basic rules themselves (threshold) that require site-specific tweaking. There really isn't a "one size fits all" configuration, especially when several of these keywords are combined. The result is that every signature update requires a good deal of "post-processing" to reapply your custom tweaks. Oinkmaster can integrate a lot of this into the update cycle, but not all. Some of these 'tweaks' can be done outside the rules themselves... e.g., threshold.conf can be used in lieu of the threshold: keyword, sid-block.map can be used in lieu of the fwsam: keyword, etc. This helps to separate the 'customized' components from the basic rules, but they aren't integrated into oinkmaster. Thresholds would be a good place for variable substitution, but in the general rules, not used. Two examples here might be what you consider to be a "brute force" attack - 'x' attempts in 'y' seconds - but all of the brute force type signatures have hardcoded values. Another is the spyware signatures, they are setup to alert only once every 'x' seconds. Then there are 'related' tweaks -- I'd like to change the classification of every sig I changed to drop, or fwsam, so that they would stand out in reports. Currently I don't know of a good toolset (other than oinkmaster) of managing your local tweaks, but would love to hear of any alternatives. Jeff ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rules for Snort Inline Risto Vaarandi (Sep 04)
- Re: rules for Snort Inline Joel Esler (Sep 04)
- Re: rules for Snort Inline Risto Vaarandi (Sep 04)
- Re: rules for Snort Inline Jeff Kell (Sep 04)
- Re: rules for Snort Inline Joel Esler (Sep 04)