Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: rule variables

From: Jason Brvenik <jasonb () sourcefire com>
Date: Fri, 06 Oct 2006 21:20:44 -0400


katsumi liquer wrote:

Hello everyone,

I have some questions about writing Snort rules that I can't seem to
find answers for. First is it possible to use the src ip address of a
packet in the rule as a variable? Does snort expose any information
about a packet to be used inside the rule? For example I want to make
an 'activate/dynamic' rule that first checks for an incoming TCP
connection to a certain port port, and then watches for a specific UDP
packet from that same original SRC  -- so, at the moment it looks like
this:

activate tcp $SERVERS any -> 10.1.1.34 3340 (activates: 1;)

That part is just meant as a 'trigger' to make Snort watch for a
secondary event which is the real meat:

dynamic udp $SERVERS 90 -> any any (msg: "activated TRUE"; content:
"|05a013f011e|"; content: "|00000a9|"; rawbytes; content:
"superwolfgang.com"; classtype: unsuccessful-user; rev: 3;
sid:1000902; activated_by: 1; count: 50;)

I have two questions: first, should this rule even work? No matter how
I do it, snort always reads this when it starts up:

snort[8825]: WARNING: an activation rule with no dynamic rules matched!

Since I only have one activate/dynamic rule, I guessing it is
referring to the above. The only reason I can see it shouldn't work on
paper is perhaps that the activate portion is TCP and the dynamic
portion is UDP -- can you mix the two?


- Activate/Dynamic is nearly a dead code path. flowbits and tag are
preferred.

- The rules language does not allow for saving of data and using it
across different rules as you would like.



Second, this rule is really only half accurate because the second part
could potentially match traffic coming from any source -- is it
possible to say "use the SRC ip which was intercepted in the
'activate' rule" ? ie, something like:

dynamic udp $ACTIVATE_SRC 90 -> any any (msg: "activated TRUE";
content: "|05a013f011e|"; content: "|00000a9|"; rawbytes; content:
"superwolfgang.com"; classtype: unsuccessful-user; rev: 3;
sid:1000902; activated_by: 1; count: 50;)

I know these are a lot of questions -- I am just trying to figure out
the best way to make what seem to be 'compound' rules, but their is
not much documentation about it. I greatly appreciate any information
at all that anyone has.


Please keep asking questions. What you want to do is possible within
Snort but it requires a little code to do it. A preprocessor is probably
the shortest path to resolution but you could also create a detection
plugin that implements variable functionality.



Thank you very much,

katsu



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: