Snort mailing list archives
Snort v2 rule order help (long)
From: JP Vossen <vossenjp () netaxs com>
Date: Thu, 24 Apr 2003 01:41:31 -0400 (EDT)
I'm setting up a honeypot on my backup DSL line and my rules don't work the way I expect (what a shock). I've Googled, read all the docs, FAQs (both on Snort.org and in the v2.0.0 tarball (which seems newer)), the SourceFire Snort v2 white papers (no real technical details), this list archives, and I've run Jon William's Perl script [0] on the 1.9.1 rules and upgraded my snort.conf to v2, all to no avail. I have not looked at the source, as I will not understand it. My C skills are limited to Hello World. I'm was using Snort v1.9.1, MySQL 3.23.54a-4, PHP 4.2.2-8.0.7 and ACID 0.9.6b23 (all Snort.org and RedHat 8.0 default RPMs when possible). I have since upgraded to Snort 2.0 (home grown RPMs since the Snort.org ones aren't out yet). Snort and ACID work fine, alerts go into MySQL and show up in ACID, except for this problem. Basically, I am trying to write a few rules for specific stuff, then have a general catch-all (or cleanup) for anything I missed. The idea is to make ACID summary screens a little more meaningful by broadly categorizing packets. (Remember-honeynet, no production traffic!) With Snort 1.9.1 the problem was that the catch-all rule was triggering on packets that should have triggered a more specific rule instead. Since I upgraded to Snort 2.0, the ONLY rule that triggers is "HPT-Catch All IP"!!! As I said, my snort.conf is now v2.0.0, with all other rules files commented out. $HOME_NET is "var HOME_NET xx.xx.xx.xx/32". Any idea what I'm doing wrong, or how I can get more or less what I want? Also, once this is working, phase 2 is to move some of the "real" signatures back in. At that point I may change my HPT rules to log instead of alert. Then the goal is still to capture EVERYTHING, but also to alert on the really interesting stuff too. Any thoughts here? TIA for any thoughts as this has me quite frustrated. JP <JP-HoneyPot.rules> # JP-HoneyPot.rules for a Honeynet/ACID "capture everydarnthing" configuration. # 2003-04-19 JPV Upgraded to Snort 2.0.0 and broke out to new file # "HPT-" is a prefix meaning Honeypot, just to make the rules identifiable. # ICMP (any/all) alert icmp any any -> $HOME_NET any (msg: "HPT-Incoming ICMP"; session: printable;) alert icmp $HOME_NET any -> any any (msg: "HPT-Outgoing ICMP"; session: printable;) # UDP (any/all) alert udp any any -> $HOME_NET any (msg: "HPT-Incoming UDP"; session: printable;) alert udp $HOME_NET any -> any any (msg: "HPT-Outgoing UDP"; session: printable;) # TCP with payload alert tcp any any -> $HOME_NET any (dsize:>0; msg: "HPT-Incoming TCP with payload"; session: printable;) alert tcp $HOME_NET any -> any any (dsize:>0; msg: "HPT-Outgoing TCP with payload"; session: printable;) # TCP with no payload alert tcp any any -> $HOME_NET any (dsize:0; msg: "HPT-Incoming TCP no payload";) alert tcp $HOME_NET any -> any any (dsize:0; msg: "HPT-Outgoing TCP no payload";) # Catch-all alert icmp any any -> any any (msg: "HPT-Catch All ICMP"; session: printable;) alert tcp any any -> any any (msg: "HPT-Catch All TCP"; session: printable;) alert udp any any -> any any (msg: "HPT-Catch All UDP"; session: printable;) alert ip any any -> any any (msg: "HPT-Catch All IP"; session: printable;) </JP-HoneyPot.rules> ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here is the relevant stuff from the ACID 35 Most Frequent Alerts (TAB delimited, sorry about the formatting). I first installed the box 2003-03-16 03:25:28, changed over from 1 monolithic rule on 2003-03-20 22:22:16, and upgraded to Snort 2.0.0 on 2003-04-19 03:39:51. Note in the middle block that "HPT-Catch All TCP" was 37%, which is WAY too high. But the most telling fact is that since the Snort 2.0.0 upgrade no rule other than "HPT-Catch All IP" has fired. <ACID 35 Most Frequent Alerts> Signature Total # Src. Addr. Dest. Addr. First Last HPT-Catch All IP 5420 (4%) 1 684 2003-04-19 03:39:51 2003-04-24 01:14:55 HPT-Incoming UDP 5979 (4%) 1 4046 2003-03-20 22:34:41 2003-04-19 01:40:12 HPT-Incoming TCP no payload 59379 (41%) 930 2 2003-03-21 02:11:11 2003-04-18 23:14:59 HPT-Catch All TCP 53727 (37%) 1 4 2003-03-20 23:08:11 2003-04-18 23:14:59 HPT-Incoming TCP with payload 10042 (7%) 1 654 2003-03-20 22:56:55 2003-04-18 23:14:56 HPT-Incoming ICMP 210 (0%) 1 59 2003-03-21 01:30:53 2003-04-18 19:06:36 HPT-Catch All UDP 4 (0%) 1 1 2003-03-21 01:40:39 2003-03-21 02:06:45 HPT-Outgoing ICMP 13 (0%) 1 1 2003-03-21 01:31:45 2003-03-21 02:03:55 HPT-Incoming TCP other flags 20 (0%) 1 5 2003-03-20 22:56:23 2003-03-21 01:31:22 HPT-Incoming TCP ACK 52 (0%) 1 6 2003-03-20 22:42:12 2003-03-21 01:31:18 HPT-Incoming TCP SYN 25 (0%) 1 5 2003-03-20 22:56:19 2003-03-21 01:31:18 Honeypot--All 9184 (6%) 803 341 2003-03-16 03:25:28 2003-03-20 22:22:16 [Other misc. junk truncated] </ACID 35 Most Frequent Alerts> [0] http://marc.theaimsgroup.com/?l=snort-users&m=102035091108767&w=2 ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp () jpsdomain org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- "The software said it requires Windows 98 or better, so I installed Linux..." ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort v2 rule order help (long) JP Vossen (Apr 23)