Snort mailing list archives
Re: İLT: Question - snort v2.9.6.0 rules
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 10 Mar 2014 20:18:51 +0000
Eray, I'll look into this. -- Joel Esler Sent from my iPhone
On Mar 9, 2014, at 17:31, "Eray Balkanli" <Eray.Balkanli () Dal Ca> wrote: Hi, Are there any news related to this issue? Best regards, Eray Gönderen: Eray Balkanli Gönderildi: 07 Mart 2014 Cuma 10:41 Kime: Eray Balkanlı; Joel Esler (jesler) Bilgi: snort-devel () lists sourceforge net Konu: YNT: [Snort-devel] Question - snort v2.9.6.0 rules Hi, I have just noticed that this e-mail could not be received by snort-devel@lists since I used hotmail instead dal.ca while sending it. I also kindly request snort-devel team, besides Mr. Esler, to read my question in my previous e-mail and share their ideas with me. As summary, my question was why some rules (example below) were deleted in years. What is the exact reference you are following while deciding to delete/exchange a rule? Example: # $Id: icmp.rules,v 1.27 2005/02/10 01:11:04 bmc Exp $ alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;) These rules are NOT observed in "protocol-icmp.rules" from snort-rules 2.9.6.0. (why?) " # This file contains (i) proprietary rules that were created, tested and certified by # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by # Sourcefire and other third parties (the "GPL Rules") that are distributed under the # GNU General Public License (GPL), v2. " I will be grateful if you reply to me. Best regards, Eray Gönderen: Eray Balkanlı <eraybalkanli () hotmail com> Gönderildi: 06 Mart 2014 Perşembe 13:34 Kime: Joel Esler (jesler); Eray Balkanli Bilgi: snort-devel () lists sourceforge net Konu: RE: [Snort-devel] Question - snort v2.9.6.0 rules Hi, First of all, thank you very much for your interest and answer! On behalf of being more clear, let me explain my question deeper. Now, I am both using the ruleset from v2.9.1 and v2.9.6.0 and I see there are many changes between the rulesets, as supposed. When I check the "icmp.rules" and "icmp-info.rules" in 2.9.1, I observe there are lots of rules they contain. However, icmp.rules and icmp-info.rules are empty, including no rule, but I see protocol-icmp.rules there which contains some rules related to icmp packets. But, some rules have completely been deleted. For example: icmp.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;) icmp-info.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;) I cannot see these rules in protocol-icmp.rules (v2.9.6.0). And there are more rules which are observable in v2.9.1 unless v2.9.6.0. In this regard, may I ask why these rules were deleted? Could you please explain depending on which references you decide to delete the existing rules? * You can find the rules I use "icmp.rules (v2.9.1), icmp-info.rules (v2.9.1) and protocol-icmp(2.9.6.0)" on the attachment of this mail. I appreciate for your kind interest. Thank you! Best regards, Eray From: jesler () cisco com To: Eray.Balkanli () Dal Ca CC: snort-devel () lists sourceforge net; eraybalkanli () hotmail com Subject: Re: [Snort-devel] Question - snort v2.9.6.0 rules Date: Tue, 4 Mar 2014 17:47:23 +0000 Within the rules we use a variety of references that you may look at to tell which vulnerabilities the rules cover, and from what year. I encourage you to download the registered ruleset and grep through for “CVE” numbers, etc. -- Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team On Mar 4, 2014, at 12:07 PM, Eray Balkanli <Eray.Balkanli () Dal Ca> wrote: Hi, I am a graduate Computer Science student at Dalhousie University. I have been working on some network records by using the rules included in Snort v2.9.6.0. I have a question related to those rules; I will be grateful if you reply. May I ask that for how many recent years the defined rules are based on? I mean, from which year the attack signatures of malicious packets have been regarded? Thank you very much in advance! Best regars, Eray ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question - snort v2.9.6.0 rules Eray Balkanli (Mar 04)
- Re: Question - snort v2.9.6.0 rules Joel Esler (jesler) (Mar 04)
- Message not available
- YNT: Question - snort v2.9.6.0 rules Eray Balkanli (Mar 07)
- İLT: Question - snort v2.9.6.0 rules Eray Balkanli (Mar 09)
- Re: İLT: Question - snort v2.9.6.0 rules Joel Esler (jesler) (Mar 10)
- Message not available
- Re: Question - snort v2.9.6.0 rules Joel Esler (jesler) (Mar 04)