Re: [Snort-users] threshold -- is it really deprecated?

[beenph <beenph () gmail com>]

On Mon, Jan 23, 2012 at 10:13 PM, Jim Hranicky <jfh () ufl edu> wrote:
> On Mon, 23 Jan 2012 16:55:39 -0500
> Martin Roesch <roesch () sourcefire com> wrote:
>
> > Personally I'd prefer to see the rule structure revisited.  The
> > current melange of selectors, detection and metadata information in a
> > rule that depends on the author for structure is pretty suboptimal
> > (and entirely my fault, lack of foresight you know).
> >
> > Something like
> >
> > rule {
> >     metadata { msg, sid/rev, ... }
> >     selector { flowbits, protocol, ip range, ... }
> >     detect { content, regex, ... }
> >     action { alert, log, block, set flowbit, ... }
> > }
> >
> > would be great.  If we did that and built in a nice macro system then
>
> You could always just use YAML for structure. Who wants to write
> a parser, anyway :-) ?
>
> Personally, I like the idea of having all the rule info in one place.
> So, you know, I only have to look/edit in one place when checking/
> creating a rule :-) . Having to edit X files for one rule would
> just be annoying.
>
> I still see the value in having something like an overrides.conf,
> where you could specify local exceptions:
>
> sourcefire.rules
> ----------------
>
> - sid      : 200202
>  msg      : "Botnet checkin"
>  action   : alert
>  flowbits : "set:SF.botnet"
>  from     : "HOME_NET:any"
>  to       : "EXTERNAL_NET:HTTP_PORTS"
>  content  :
>    - value    : "/foodebar.php?x=3"
>      type     : http_uri
>    - value    : !"Accept-"
>      type     : http_header
>      distance : 0
>
> - sid      : 200203
>  [...]
>
> overrides.conf
> --------------
>
> - sid      : 200202
> # replace to:
>  to       : "EXTERNAL_NET:LOCAL_HTTP_PORTS"
> # Get rid of the flowbits
>  flowbits : DELETE
> # add a threshold
>  thresh   :
>    type       : detection_filter
>    seconds    : 300
>    count      : 20
> # This leaves you with one content match
>  content  :
>    - value    : "/foodebar.php?x=3"
>      type     : http_uri
>
> Or something like that.
>
> If you're using strucured data, you no longer have to rely on
> regexp search and replace to make mods to the rules. A simple
> script could be used to output the final value of the rule(s).
>
> Wrap all this up in libsfparse, link snort and BY2 against it,
> poof, no more sid-msg.map (unless I'm missing something,
> entirely possible).
>
> $0.02 off the top of my head.

Rule management should be done with a rule manager. And not only a rule updater.
If you have a serious deploiment you might have specific setting for sensor
A.B.C which does not applies to D,E,F but sensor B and F could share
a few similarities.

Abstracting the actual rule structure used. i personally think anyone
who has done
fine tunning on a mid to large deploiment will not relies on file to
manages rules deploiment.

As of the threshold/event_filter being in the rule body it self, i
think this come back
to the previous argument where if you manage your rule in a way that
you can applies
variations for A,B,C,D,E,F it could be a good idea but if you also
manage your configuration
it is way mutch simpler and cleaner to manage such rule properties
from a configuration
perspective than a rule perspective imho.

-elz

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!