Snort v2 rule order help (long)

[JP Vossen <vossenjp () netaxs com>]

I'm setting up a honeypot on my backup DSL line and my rules don't work the
way I expect (what a shock).  I've Googled, read all the docs, FAQs (both on
Snort.org and in the v2.0.0 tarball (which seems newer)), the SourceFire Snort
v2 white papers (no real technical details), this list archives, and I've run
Jon William's Perl script [0] on the 1.9.1 rules and upgraded my snort.conf to
v2, all to no avail.  I have not looked at the source, as I will not
understand it.  My C skills are limited to Hello World.

I'm was using Snort v1.9.1, MySQL 3.23.54a-4, PHP 4.2.2-8.0.7 and ACID
0.9.6b23 (all Snort.org and RedHat 8.0 default RPMs when possible).  I have
since upgraded to Snort 2.0 (home grown RPMs since the Snort.org ones aren't
out yet).  Snort and ACID work fine, alerts go into MySQL and show up in ACID,
except for this problem.

Basically, I am trying to write a few rules for specific stuff, then have a
general catch-all (or cleanup) for anything I missed.  The idea is to make
ACID summary screens a little more meaningful by broadly categorizing packets.
(Remember-honeynet, no production traffic!)

With Snort 1.9.1 the problem was that the catch-all rule was triggering on
packets that should have triggered a more specific rule instead.  Since I
upgraded to Snort 2.0, the ONLY rule that triggers is "HPT-Catch All IP"!!!

As I said, my snort.conf is now v2.0.0, with all other rules files commented
out.  $HOME_NET is "var HOME_NET xx.xx.xx.xx/32".

Any idea what I'm doing wrong, or how I can get more or less what I want?
Also, once this is working, phase 2 is to move some of the "real" signatures
back in.  At that point I may change my HPT rules to log instead of alert.
Then the goal is still to capture EVERYTHING, but also to alert on the really
interesting stuff too.  Any thoughts here?

TIA for any thoughts as this has me quite frustrated.
JP


<JP-HoneyPot.rules>
# JP-HoneyPot.rules for a Honeynet/ACID "capture everydarnthing"
configuration.
# 2003-04-19 JPV Upgraded to Snort 2.0.0 and broke out to new file


# "HPT-" is a prefix meaning Honeypot, just to make the rules identifiable.

# ICMP (any/all)
alert icmp any any -> $HOME_NET any (msg: "HPT-Incoming ICMP"; session: printable;)
alert icmp $HOME_NET any -> any any (msg: "HPT-Outgoing ICMP"; session: printable;)


# UDP (any/all)
alert udp any any -> $HOME_NET any (msg: "HPT-Incoming UDP"; session: printable;)
alert udp $HOME_NET any -> any any (msg: "HPT-Outgoing UDP"; session: printable;)


# TCP with payload
alert tcp any any -> $HOME_NET any (dsize:>0; msg: "HPT-Incoming TCP with payload"; session: printable;)
alert tcp $HOME_NET any -> any any (dsize:>0; msg: "HPT-Outgoing TCP with payload"; session: printable;)


# TCP with no payload
alert tcp any any -> $HOME_NET any (dsize:0; msg: "HPT-Incoming TCP no payload";)
alert tcp $HOME_NET any -> any any (dsize:0; msg: "HPT-Outgoing TCP no payload";)


# Catch-all
alert icmp any any -> any any (msg: "HPT-Catch All ICMP"; session: printable;)
alert tcp  any any -> any any (msg: "HPT-Catch All TCP";  session: printable;)
alert udp  any any -> any any (msg: "HPT-Catch All UDP";  session: printable;)
alert ip   any any -> any any (msg: "HPT-Catch All IP";   session: printable;)
</JP-HoneyPot.rules>


~~~~~~~~~~~~~~~~~~~~~~~~~~~
Here is the relevant stuff from the ACID 35 Most Frequent Alerts (TAB
delimited, sorry about the formatting).

I first installed the box 2003-03-16 03:25:28, changed over from 1 monolithic
rule on 2003-03-20 22:22:16, and upgraded to Snort 2.0.0 on 2003-04-19
03:39:51.  Note in the middle block that "HPT-Catch All TCP" was 37%, which is
WAY too high.  But the most telling fact is that since the Snort 2.0.0 upgrade
no rule other than "HPT-Catch All IP" has fired.


<ACID 35 Most Frequent Alerts>
Signature       Total # Src. Addr.      Dest. Addr.     First   Last
HPT-Catch All IP        5420 (4%)       1       684     2003-04-19 03:39:51     2003-04-24 01:14:55

HPT-Incoming UDP        5979 (4%)       1       4046    2003-03-20 22:34:41     2003-04-19 01:40:12
HPT-Incoming TCP no payload     59379 (41%)     930     2       2003-03-21 02:11:11     2003-04-18 23:14:59
HPT-Catch All TCP       53727 (37%)     1       4       2003-03-20 23:08:11     2003-04-18 23:14:59
HPT-Incoming TCP with payload   10042 (7%)      1       654     2003-03-20 22:56:55     2003-04-18 23:14:56
HPT-Incoming ICMP       210 (0%)        1       59      2003-03-21 01:30:53     2003-04-18 19:06:36
HPT-Catch All UDP       4 (0%)  1       1       2003-03-21 01:40:39     2003-03-21 02:06:45
HPT-Outgoing ICMP       13 (0%) 1       1       2003-03-21 01:31:45     2003-03-21 02:03:55
HPT-Incoming TCP other flags    20 (0%) 1       5       2003-03-20 22:56:23     2003-03-21 01:31:22
HPT-Incoming TCP ACK    52 (0%) 1       6       2003-03-20 22:42:12     2003-03-21 01:31:18
HPT-Incoming TCP SYN    25 (0%) 1       5       2003-03-20 22:56:19     2003-03-21 01:31:18

Honeypot--All   9184 (6%)       803     341     2003-03-16 03:25:28     2003-03-20 22:22:16
[Other misc. junk truncated]
</ACID 35 Most Frequent Alerts>


[0] http://marc.theaimsgroup.com/?l=snort-users&m=102035091108767&w=2


------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp () jpsdomain org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users