Snort mailing list archives
Re: new//Re:help: how to use binder to give different flow with different ips-rules ?
From: "Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 13 Mar 2019 13:12:08 +0000
What happens if you flip the binding order? Do you have a pcap? The expected behavior is to loop through all bindings but choose the first of each matching policy type, so if an ips policy is selected, use = ips_policy should be ignored later in the binding list. This allows ips, network and inspection policies to be selected on different criteria. * Carter From: Snort-users <snort-users-bounces () lists snort org> on behalf of sofardware via Snort-users <snort-users () lists snort org> Reply-To: sofardware <sofardware () 126 com> Date: Wednesday, March 13, 2019 at 4:39 AM To: sofardware <sofardware () 126 com> Cc: "snort-users () lists snort org" <snort-users () lists snort org> Subject: [Snort-users] new//Re:help: how to use binder to give different flow with different ips-rules ? The snort can not do like what I want. Who can tell me that, is there something wrong in the using of binder or snort can only do like this??? I want pakets with net 15.5.5.0/24 to hit the rule in ips1.lua, while pakets with net 15.5.5.0/24 to hit the rule in ips.lua. I have tried the binder with the fllow files(snort.lua,ips1.lua,ips.lua): The result is that, the pakets with net 15.5.5.0/24 and pakets with net 11.1.3.0/24 are both hit the ips.lua. when I take the second binder policy to the first,the pakets with net 15.5.5.0/24 and pakets with net 11.1.3.0/24 are both hit the ips1.lua. So, the real binding is with the last policy, rather than with the condition in "when={}" Why??? -------------------------------------------------------- snort.lua: dofile(dir .. '/snort_defaults.lua') stream = { } stream_ip = { } stream_icmp = { } stream_tcp = { } stream_udp = { } network={decode_drops=true} binder = { { when = { nets = "15.5.5.0/24" }, use = { ips_policy = "ips1.lua" } }, { when = { nets = "11.1.3.0/24" }, use = { ips_policy = "ips.lua" } }, } ---------------------------------------------- ips1.lua dofile(dir .. '/snort_defaults.lua') ips = { --rules = "alert udp any any -> any 5060 ( sid:1000001; sip_method:invite1 )", --enable_builtin_rules = true rules = [[ alert udp ( msg:"File_Data_Matched:ips1###############################udp#############################~\n"; sid:11116; ) ]] } -------------------------------------------- ips.rule dofile(dir .. '/snort_defaults.lua') ips = { --rules = "alert udp any any -> any 5060 ( sid:1000001; sip_method:invite1 )", --enable_builtin_rules = true rules = [[ alert udp ( msg:"File_Data_Matched:ips~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11116; ) ]] } ~ At 2019-03-13 15:22:40, "sofardware" <sofardware () 126 com> wrote: Hi all, For example,what I want to : when source net = 1.1.1.1/16 ,use ips rule files:snort3-browser-ie.rules,snort3-browser-firefox.rules when source net = 1.1.1.1/16 ,use ips rule files:snort3-indicator-shellcode.rules,snort3-malware-backdoor.rules How can use the flow binder : string binder[].use.ips_policy: use ips policy from given file //what should be filled in the given file ? The snort3 manual does not say what is ips_policy ips = { include = 'snort3-browser-ie.rules' } // Is this a ips_policy ??? ,if yes, what is the different to realize the above thing with binder[].use.ips_policy and binder[].use.file ??? other help needed: how can the follow binders be used? There is no detail help info or example in --help or manual string binder[].use.inspection_policy: use inspection policy from given file string binder[].use.network_policy: use network policy from given file int binder[].when.ips_policy_id = 0: unique ID for selection of this config by external logic { 0: }
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- help: how to use binder to give different flow with different ips-rules ? sofardware via Snort-users (Mar 13)
- new//Re:help: how to use binder to give different flow with different ips-rules ? sofardware via Snort-users (Mar 13)
- resoved//Re:new//Re:help: how to use binder to give different flow with different ips-rules ? sofardware via Snort-users (Mar 13)
- Re: new//Re:help: how to use binder to give different flow with different ips-rules ? Carter Waxman (cwaxman) via Snort-users (Mar 13)
- Re: new//Re:help: how to use binder to give different flow with different ips-rules ? Carter Waxman (cwaxman) via Snort-users (Mar 13)
- Re: new//Re:help: how to use binder to give different flow with different ips-rules ? sean murphy via Snort-users (Mar 13)
- new//Re:help: how to use binder to give different flow with different ips-rules ? sofardware via Snort-users (Mar 13)