Snort mailing list archives
Re: [Snort-users] threshold -- is it really deprecated?
From: beenph <beenph () gmail com>
Date: Mon, 23 Jan 2012 22:26:05 -0500
On Mon, Jan 23, 2012 at 10:13 PM, Jim Hranicky <jfh () ufl edu> wrote:
On Mon, 23 Jan 2012 16:55:39 -0500 Martin Roesch <roesch () sourcefire com> wrote:Personally I'd prefer to see the rule structure revisited. The current melange of selectors, detection and metadata information in a rule that depends on the author for structure is pretty suboptimal (and entirely my fault, lack of foresight you know). Something like rule { metadata { msg, sid/rev, ... } selector { flowbits, protocol, ip range, ... } detect { content, regex, ... } action { alert, log, block, set flowbit, ... } } would be great. If we did that and built in a nice macro system thenYou could always just use YAML for structure. Who wants to write a parser, anyway :-) ? Personally, I like the idea of having all the rule info in one place. So, you know, I only have to look/edit in one place when checking/ creating a rule :-) . Having to edit X files for one rule would just be annoying. I still see the value in having something like an overrides.conf, where you could specify local exceptions: sourcefire.rules ---------------- - sid : 200202 msg : "Botnet checkin" action : alert flowbits : "set:SF.botnet" from : "HOME_NET:any" to : "EXTERNAL_NET:HTTP_PORTS" content : - value : "/foodebar.php?x=3" type : http_uri - value : !"Accept-" type : http_header distance : 0 - sid : 200203 [...] overrides.conf -------------- - sid : 200202 # replace to: to : "EXTERNAL_NET:LOCAL_HTTP_PORTS" # Get rid of the flowbits flowbits : DELETE # add a threshold thresh : type : detection_filter seconds : 300 count : 20 # This leaves you with one content match content : - value : "/foodebar.php?x=3" type : http_uri Or something like that. If you're using strucured data, you no longer have to rely on regexp search and replace to make mods to the rules. A simple script could be used to output the final value of the rule(s). Wrap all this up in libsfparse, link snort and BY2 against it, poof, no more sid-msg.map (unless I'm missing something, entirely possible). $0.02 off the top of my head.
Rule management should be done with a rule manager. And not only a rule updater. If you have a serious deploiment you might have specific setting for sensor A.B.C which does not applies to D,E,F but sensor B and F could share a few similarities. Abstracting the actual rule structure used. i personally think anyone who has done fine tunning on a mid to large deploiment will not relies on file to manages rules deploiment. As of the threshold/event_filter being in the rule body it self, i think this come back to the previous argument where if you manage your rule in a way that you can applies variations for A,B,C,D,E,F it could be a good idea but if you also manage your configuration it is way mutch simpler and cleaner to manage such rule properties from a configuration perspective than a rule perspective imho. -elz ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: threshold -- is it really deprecated?, (continued)
- Re: threshold -- is it really deprecated? Russ Combs (Jan 21)
- Re: threshold -- is it really deprecated? Patrick Mullen (Jan 21)
- Re: [Snort-users] threshold -- is it really deprecated? Eoin Miller (Jan 22)
- Re: [Snort-users] threshold -- is it really deprecated? elof (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joel Esler (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Martin Roesch (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? beenph (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Jason Brvenik (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? Joel Esler (Jan 24)
- Re: [Snort-devel] threshold -- is it really deprecated? Jim Hranicky (Jan 24)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-devel] threshold -- is it really deprecated? waldo kitty (Jan 25)
- Re: [Snort-users] threshold -- is it really deprecated? Joshua Kinard (Jan 23)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joshua Kinard (Jan 24)
- Re: [Snort-users] Public Bugzilla? [was: threshold -- is it really deprecated?] Joel Esler (Jan 24)