Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: İLT: Question - snort v2.9.6.0 rules

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 10 Mar 2014 20:18:51 +0000
Eray,

I'll look into this. 

--
Joel Esler
Sent from my iPhone


On Mar 9, 2014, at 17:31, "Eray Balkanli" <Eray.Balkanli () Dal Ca> wrote:

Hi,

Are there any news related to this issue?

Best regards,
Eray
 
Gönderen: Eray Balkanli
Gönderildi: 07 Mart 2014 Cuma 10:41
Kime: Eray Balkanlı; Joel Esler (jesler)
Bilgi: snort-devel () lists sourceforge net
Konu: YNT: [Snort-devel] Question - snort v2.9.6.0 rules
 
Hi,

I have just noticed that this e-mail could not be received by snort-devel@lists since I used hotmail instead dal.ca 
while sending it. I also kindly request snort-devel team, besides Mr. Esler, to read my question in my previous 
e-mail and share their ideas with me.

As summary, my question was why some rules (example below) were deleted in years. What is the exact reference you are 
following while deciding to delete/exchange a rule?

Example:
# $Id: icmp.rules,v 1.27 2005/02/10 01:11:04 bmc Exp $
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; 
reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; 
reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; 
sid:477; rev:2;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; 
icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is 
Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is 
Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; 
classtype:bad-unknown; sid:499; rev:4;)

These rules are NOT observed in "protocol-icmp.rules" from snort-rules 2.9.6.0. (why?)

"
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.

"
I will be grateful if you reply to me.

Best regards,
Eray
​

 
Gönderen: Eray Balkanlı <eraybalkanli () hotmail com>
Gönderildi: 06 Mart 2014 Perşembe 13:34
Kime: Joel Esler (jesler); Eray Balkanli
Bilgi: snort-devel () lists sourceforge net
Konu: RE: [Snort-devel] Question - snort v2.9.6.0 rules
 
Hi,

First of all, thank you very much for your interest and answer!

On behalf of being more clear, let me explain my question deeper.

Now, I am both using the ruleset from v2.9.1 and v2.9.6.0 and I see there are many changes between the rulesets, as 
supposed. When I check the "icmp.rules" and "icmp-info.rules" in 2.9.1, I observe there are lots of rules they 
contain. However, icmp.rules and icmp-info.rules are empty, including no rule, but I see protocol-icmp.rules there 
which contains some rules related to icmp packets. But, some rules have completely been deleted. For example:

icmp.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; 
dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

icmp-info.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; 
dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)

I cannot see these rules in protocol-icmp.rules (v2.9.6.0). And there are more rules which are observable in v2.9.1 
unless v2.9.6.0.

In this regard, may I ask why these rules were deleted? Could you please explain depending on which references you 
decide to delete the existing rules?

* You can find the rules I use "icmp.rules (v2.9.1), icmp-info.rules (v2.9.1) and protocol-icmp(2.9.6.0)" on the 
attachment of this mail.

I appreciate for your kind interest. Thank you!

Best regards,
Eray

From: jesler () cisco com
To: Eray.Balkanli () Dal Ca
CC: snort-devel () lists sourceforge net; eraybalkanli () hotmail com
Subject: Re: [Snort-devel] Question - snort v2.9.6.0 rules
Date: Tue, 4 Mar 2014 17:47:23 +0000

Within the rules we use a variety of references that you may look at to tell which vulnerabilities the rules cover, 
and from what year.  I encourage you to download the registered ruleset and grep through for “CVE” numbers, etc.   

--
Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team

On Mar 4, 2014, at 12:07 PM, Eray Balkanli <Eray.Balkanli () Dal Ca> wrote:

Hi,

I am a graduate Computer Science student at Dalhousie University. I have been working on some network records by 
using the rules included in Snort v2.9.6.0. I have a question related to those rules; I will be grateful if you reply.

May I ask that for how many recent years the defined rules are based on? I mean, from which year the attack 
signatures of malicious packets have been regarded?

Thank you very much in advance!

Best regars,
Eray
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Attachment: smime.p7s
Description: 

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: