Snort mailing list archives

Re: new//Re:help: how to use binder to give different flow with different ips-rules ？

From: "Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 13 Mar 2019 13:12:08 +0000

What happens if you flip the binding order? Do you have a pcap? The expected behavior is to loop through all bindings 
but choose the first of each matching policy type, so if an ips policy is selected, use = ips_policy should be ignored 
later in the binding list. This allows ips, network and inspection policies to be selected on different criteria.


  *   Carter

From: Snort-users <snort-users-bounces () lists snort org> on behalf of sofardware via Snort-users <snort-users () 
lists snort org>
Reply-To: sofardware <sofardware () 126 com>
Date: Wednesday, March 13, 2019 at 4:39 AM
To: sofardware <sofardware () 126 com>
Cc: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] new//Re:help: how to use binder to give different flow with different ips-rules ？

The snort can not do like  what I want. Who can tell me that, is there something wrong in the using of binder or snort 
can only do like this???
I want pakets with  net 15.5.5.0/24 to hit the rule in ips1.lua, while pakets with  net 15.5.5.0/24 to hit the rule in 
ips.lua.
I have tried the binder with the fllow files(snort.lua,ips1.lua,ips.lua):
The result is that, the pakets with  net 15.5.5.0/24 and  pakets with net 11.1.3.0/24  are both  hit the ips.lua.
when I take the second binder policy to the first,the pakets with  net 15.5.5.0/24 and  pakets with net 11.1.3.0/24  
are both  hit the ips1.lua.
So, the real binding is with the last policy, rather than with the condition in "when={}"
Why???



--------------------------------------------------------
snort.lua:
dofile(dir .. '/snort_defaults.lua')
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
network={decode_drops=true}
binder =
{
    { when = { nets = "15.5.5.0/24" }, use = { ips_policy = "ips1.lua" } },
    { when = { nets = "11.1.3.0/24" }, use = { ips_policy = "ips.lua" } },

}
----------------------------------------------
ips1.lua
dofile(dir .. '/snort_defaults.lua')
ips =
{
    --rules = "alert udp any any -> any 5060 ( sid:1000001; sip_method:invite1 )",
    --enable_builtin_rules = true
    rules =
[[
alert udp ( msg:"File_Data_Matched:ips1###############################udp#############################~\n"; sid:11116; )
]]
}
--------------------------------------------
ips.rule
dofile(dir .. '/snort_defaults.lua')
ips =
{
    --rules = "alert udp any any -> any 5060 ( sid:1000001; sip_method:invite1 )",
    --enable_builtin_rules = true
    rules =
[[
alert udp ( msg:"File_Data_Matched:ips~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; 
sid:11116; )
]]
}
~








At 2019-03-13 15:22:40, "sofardware" <sofardware () 126 com> wrote:

      Hi all,
           For example，what I want to ：
           when source net = 1.1.1.1/16 ，use ips rule files：snort3-browser-ie.rules，snort3-browser-firefox.rules
           when source net = 1.1.1.1/16 ，use ips rule 
files：snort3-indicator-shellcode.rules，snort3-malware-backdoor.rules
          How can use the flow binder ：
          string binder[].use.ips_policy: use ips policy from given file   //what should be filled in the given file ? 
The snort3 manual does not say what is ips_policy
          ips =
         {
           include = 'snort3-browser-ie.rules'
         } // Is this a ips_policy ??? ,if yes, what is the different to realize the above thing with 
binder[].use.ips_policy and binder[].use.file ???

         other help needed:
         how can the follow binders be used? There is no detail help info or example in  --help or manual
         string binder[].use.inspection_policy: use inspection policy from given file
         string binder[].use.network_policy: use network policy from given file
         int binder[].when.ips_policy_id = 0: unique ID for selection of this config by external logic { 0: }

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

help: how to use binder to give different flow with different ips-rules ？ sofardware via Snort-users (Mar 13)
- new//Re:help: how to use binder to give different flow with different ips-rules ？ sofardware via Snort-users (Mar 13)
  - resoved//Re:new//Re:help: how to use binder to give different flow with different ips-rules ？ sofardware via Snort-users (Mar 13)
  - Re: new//Re:help: how to use binder to give different flow with different ips-rules ？ Carter Waxman (cwaxman) via Snort-users (Mar 13)
    - Re: new//Re:help: how to use binder to give different flow with different ips-rules ？ Carter Waxman (cwaxman) via Snort-users (Mar 13)
    - Re: new//Re:help: how to use binder to give different flow with different ips-rules ？ sean murphy via Snort-users (Mar 13)