Snort mailing list archives
Re: rule variables
From: Jason Brvenik <jasonb () sourcefire com>
Date: Fri, 06 Oct 2006 21:20:44 -0400
katsumi liquer wrote:
Hello everyone, I have some questions about writing Snort rules that I can't seem to find answers for. First is it possible to use the src ip address of a packet in the rule as a variable? Does snort expose any information about a packet to be used inside the rule? For example I want to make an 'activate/dynamic' rule that first checks for an incoming TCP connection to a certain port port, and then watches for a specific UDP packet from that same original SRC -- so, at the moment it looks like this: activate tcp $SERVERS any -> 10.1.1.34 3340 (activates: 1;) That part is just meant as a 'trigger' to make Snort watch for a secondary event which is the real meat: dynamic udp $SERVERS 90 -> any any (msg: "activated TRUE"; content: "|05a013f011e|"; content: "|00000a9|"; rawbytes; content: "superwolfgang.com"; classtype: unsuccessful-user; rev: 3; sid:1000902; activated_by: 1; count: 50;) I have two questions: first, should this rule even work? No matter how I do it, snort always reads this when it starts up: snort[8825]: WARNING: an activation rule with no dynamic rules matched! Since I only have one activate/dynamic rule, I guessing it is referring to the above. The only reason I can see it shouldn't work on paper is perhaps that the activate portion is TCP and the dynamic portion is UDP -- can you mix the two?
- Activate/Dynamic is nearly a dead code path. flowbits and tag are preferred. - The rules language does not allow for saving of data and using it across different rules as you would like.
Second, this rule is really only half accurate because the second part could potentially match traffic coming from any source -- is it possible to say "use the SRC ip which was intercepted in the 'activate' rule" ? ie, something like: dynamic udp $ACTIVATE_SRC 90 -> any any (msg: "activated TRUE"; content: "|05a013f011e|"; content: "|00000a9|"; rawbytes; content: "superwolfgang.com"; classtype: unsuccessful-user; rev: 3; sid:1000902; activated_by: 1; count: 50;) I know these are a lot of questions -- I am just trying to figure out the best way to make what seem to be 'compound' rules, but their is not much documentation about it. I greatly appreciate any information at all that anyone has.
Please keep asking questions. What you want to do is possible within Snort but it requires a little code to do it. A preprocessor is probably the shortest path to resolution but you could also create a detection plugin that implements variable functionality.
Thank you very much, katsu
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- rule variables katsumi liquer (Oct 06)
- Re: rule variables Jason Brvenik (Oct 06)