Snort mailing list archives
(no subject)
From: JP Vossen <vossenjp () netaxs com>
Date: Sat, 20 Dec 2003 00:14:42 -0500 (EST)
Subject: Re: [Snort-users] Rule order? From: Ralf Spenneberg <lists () spenneberg org> To: Toby Rodwell <trodwell () iee org> Cc: Snort-Users <snort-users () lists sourceforge net> Date: 18 Dec 2003 13:46:42 +0100 Am Mit, 2003-12-17 um 21.32 schrieb Toby Rodwell:I think I might be missing something basic here. I'm getting to grips with Snort, trying out some really simple configs. I'm use to rules being run in the sequence they appear, so I my snort.conf is currently this:-
Unfortunately, thats not the way snort evaluates the rules. Depending on the Snort version the rules are reordered differently. Snort always reorders the rules to increase its performance. It practically builds its rule engine on the fly. If you are using Snort 2.x there is a whitepaper on the Snort homepage explaining the multirule-engine.
I have had *limited* success in getting rules to work in the order I want by using the config order directive like so: /etc/snort/snort.conf: [...] # Custom rule ordering so that rules trigger in the order needed. config order: alert log payload handshake catchall [...] # Custom rule to allow rule ordering so that rules trigger in the order needed. ruletype payload { type alert output database: alert, mysql, dbname=snort host=...... } # Custom rule to allow rule ordering so that rules trigger in the order needed. ruletype handshake { type alert output database: alert, mysql, dbname=snort host=...... } # # Custom rule to allow rule ordering so that rules trigger in the order needed. ruletype catchall { type alert output database: alert, mysql, dbname=snort host=...... } [...] Then my rules file has stuff like this: payload tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP with payload"; dsize:>0; session: printable; sid:1000008;) payload tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP with payload"; dsize:>0; session: printable; sid:1000009;) handshake tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HPT-Incoming TCP no payload"; dsize:0; sid:1000010;) handshake tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"HPT-Outgoing TCP no payload"; dsize:0; sid:1000011;) catchall icmp any any -> any any (msg:"HPT-Catch All ICMP"; session: printable; sid:1000012;) IIRC this did not work 100%, but it's been a while and looking at this with fresh eyes I saw some bugs (corrected in these examples), so this may work better than I thought. This particular setup is also running Snort 2.0.1 (yeah, yeah, I know), but there is no reason I'm aware of that this won't work in 2.1.0. YMMV. My goal was to capture everything from a honeypot but to "classify" things for easier viewing in ACID. Search the archives [0] for "rule order" too, that might help. I've asked this question a few times, with the stuff above the best I've been able to do. Later, JP [0] http://marc.theaimsgroup.com/?l=snort-users ------------------------------|:::======|-------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|-------------------------------- You used to have to reboot the Windows 9.x series every couple of days because it would crash. Now you have to reboot Windows 200x or XP every couple of days because of a patch. How is that better or more stable? ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject), (continued)
- (no subject) Kaplan, Andrew H. (Nov 04)
- Re: (no subject) Olaf Schreck (Nov 04)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- (no subject) CGhercoias (Dec 01)
- Message not available
- Re: (no subject) Matt Kettler (Dec 01)
- Message not available
- Re: (no subject) Jim Brown (Dec 01)
- (no subject) Kaplan, Andrew H. (Nov 04)
- (no subject) wfz (Dec 05)
- (no subject) Andrew Sergeyev (Dec 12)
- (no subject) Russell Fulton (Dec 12)
- (no subject) JP Vossen (Dec 19)
- (no subject) Kumar, Manoj (Dec 22)