Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort 2.8 and SID on pass- and alert-rules

From: Seth <sethsec () gmail com>
Date: Fri, 19 Oct 2007 15:31:22 -0400
Vidar,

I have used pass rules in the same way that you are, I just use a unique SID
to identify each of them.  If you are concerned with correlating the pass
rules to the original rule, try one of these two options:

1) Use a comment in your pass.rules or local.rules file which identifies the
sig or sig's that you are passing
2) Use a SID scheme for your pass rules that will associate them with the
original SID.

For example, start all pass rules in the 7 million range.  If SID is less
than 1,000,000 just add the SID from the original rule after the 7.  If the
SID is greater than 1,000,000 just replace the first digit with a 7 on your
pass rule.

Also, remember that pass rules can be use for a lot more than limiting a
alert SID on a 1 to 1 basis.

Seth Art


On 10/19/07, Vidar Hoel <vho () telenor net> wrote:


If you are right, and I have no reason to believe otherwise, what then
the point of pass-rules?
I mean, if it's not working they way we have used these pass-rules, what
other ways do people use pass-rules?

Regards,
Vidar Hoel
Telenor SOC

David J. Bianco wrote:

This was never really supposed to work, and if it did work, it must have
been a bug in Snort.  I suggest checking out the threshold.conf file
for details on how to keep the alerts enabled but suppress them for
certain hosts.  That's probably the most straightforward way of doing
what you want.

      David

Vidar Hoel wrote:

David J. Bianco wrote:

You've never been allowed to have duplicate SIDs, unless they both

also

have the "rev:" tag to indicate revision.

Yes, we have. Here is an example of rules we have used since up until

2.8:


alert tcp $HOME_NET any -> !$HOME_NET any (msg:"ALERT TCP traffic on
illegal port, possible new service exposed"; flags:SA; classtype:
proseq-alert; sid: 1000100; rev:1;)

pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.83 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)

pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.84 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)

pass tcp xxx.yyy.186.68 139 -> xxx.yyy.186.94 any (msg:"ALERT TCP
traffic on illegal port, possible new service exposed"; flags:SA;
classtype: proseq-alert; sid: 1000100; rev:1;)

As you see, we have three pass-rules and an alert rule, all with same
sid and rev. And this works perfectly.


BTW, if you're going to do this, you might as well just disable the
original rule entirely.  If you're going to pass the matching traffic,
it's just more efficient to not have the rule at all.

As you see of the example above, we do not pass the rule 1:1, but for
some of the traffic it would match.

Regards,
Vidar Hoel
Telenor SOC



Vidar Hoel wrote:

Hi,

We have just tried Snort 2.8 on one of our test-sensors, and

discovered

a new "feature" not mentioned in the release notes:

As an example: In our ruleset, we have one alert-rule with SID 1234.

But

for this rule, we create some pass-rules, also with SID 1234. This

way

it's easy to keep tracking of which pass-rules an alert-rule have,

and

vice versa.

But with Snort 2.8, this is not possible. Snort 2.8 will not start,

and

complain that we already have a rule with SID 1234.

What is the reason for this change, since it's not mentioned in the
release notes? Or is it just a bug?




-------------------------------------------------------------------------

This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a

browser.

Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------------------------

This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: