Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-devel] threshold -- is it really deprecated?

From: Jim Hranicky <jfh () ufl edu>
Date: Mon, 23 Jan 2012 22:13:04 -0500
On Mon, 23 Jan 2012 16:55:39 -0500
Martin Roesch <roesch () sourcefire com> wrote:


Personally I'd prefer to see the rule structure revisited.  The
current melange of selectors, detection and metadata information in a
rule that depends on the author for structure is pretty suboptimal
(and entirely my fault, lack of foresight you know).

Something like

rule {
    metadata { msg, sid/rev, ... }
    selector { flowbits, protocol, ip range, ... }
    detect { content, regex, ... }
    action { alert, log, block, set flowbit, ... }
}

would be great.  If we did that and built in a nice macro system then


You could always just use YAML for structure. Who wants to write 
a parser, anyway :-) ?

Personally, I like the idea of having all the rule info in one place.
So, you know, I only have to look/edit in one place when checking/
creating a rule :-) . Having to edit X files for one rule would 
just be annoying.

I still see the value in having something like an overrides.conf, 
where you could specify local exceptions:

sourcefire.rules 
----------------

- sid      : 200202
  msg      : "Botnet checkin"
  action   : alert
  flowbits : "set:SF.botnet"
  from     : "HOME_NET:any"
  to       : "EXTERNAL_NET:HTTP_PORTS"
  content  : 
    - value    : "/foodebar.php?x=3"
      type     : http_uri
    - value    : !"Accept-"
      type     : http_header
      distance : 0

- sid      : 200203
  [...]

overrides.conf
--------------

- sid      : 200202
# replace to:
  to       : "EXTERNAL_NET:LOCAL_HTTP_PORTS"
# Get rid of the flowbits
  flowbits : DELETE
# add a threshold
  thresh   : 
    type       : detection_filter
    seconds    : 300
    count      : 20
# This leaves you with one content match
  content  : 
    - value    : "/foodebar.php?x=3"
      type     : http_uri

Or something like that. 

If you're using strucured data, you no longer have to rely on 
regexp search and replace to make mods to the rules. A simple
script could be used to output the final value of the rule(s). 

Wrap all this up in libsfparse, link snort and BY2 against it,
poof, no more sid-msg.map (unless I'm missing something, 
entirely possible). 

$0.02 off the top of my head. 
    
--
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: