Snort mailing list archives

Previous By Date Next
Previous By Thread Next

rule variables

From: "katsumi liquer" <katsumi () gmail com>
Date: Fri, 6 Oct 2006 20:35:49 -0400
Hello everyone,

I have some questions about writing Snort rules that I can't seem to
find answers for. First is it possible to use the src ip address of a
packet in the rule as a variable? Does snort expose any information
about a packet to be used inside the rule? For example I want to make
an 'activate/dynamic' rule that first checks for an incoming TCP
connection to a certain port port, and then watches for a specific UDP
packet from that same original SRC  -- so, at the moment it looks like
this:

activate tcp $SERVERS any -> 10.1.1.34 3340 (activates: 1;)

That part is just meant as a 'trigger' to make Snort watch for a
secondary event which is the real meat:

dynamic udp $SERVERS 90 -> any any (msg: "activated TRUE"; content:
"|05a013f011e|"; content: "|00000a9|"; rawbytes; content:
"superwolfgang.com"; classtype: unsuccessful-user; rev: 3;
sid:1000902; activated_by: 1; count: 50;)

I have two questions: first, should this rule even work? No matter how
I do it, snort always reads this when it starts up:

snort[8825]: WARNING: an activation rule with no dynamic rules matched!

Since I only have one activate/dynamic rule, I guessing it is
referring to the above. The only reason I can see it shouldn't work on
paper is perhaps that the activate portion is TCP and the dynamic
portion is UDP -- can you mix the two?

Second, this rule is really only half accurate because the second part
could potentially match traffic coming from any source -- is it
possible to say "use the SRC ip which was intercepted in the
'activate' rule" ? ie, something like:

dynamic udp $ACTIVATE_SRC 90 -> any any (msg: "activated TRUE";
content: "|05a013f011e|"; content: "|00000a9|"; rawbytes; content:
"superwolfgang.com"; classtype: unsuccessful-user; rev: 3;
sid:1000902; activated_by: 1; count: 50;)

I know these are a lot of questions -- I am just trying to figure out
the best way to make what seem to be 'compound' rules, but their is
not much documentation about it. I greatly appreciate any information
at all that anyone has.

Thank you very much,

katsu

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: