Re: Regarding Coding for Snort

[Mayur Patil <ram.nath241089 () gmail com>]

Hi Waldo,

    Thanks for the wise reply.

    Actually I want to write My own rule for recognizing and generating
alert (possibly block them ) for DDoS attack.

    There are four types of rules I found in the snort while running NIDS
mode by omitting -e switch


   1. Decoder Rule
   2. Detection rules
   3. Preprocessor rules
   4. Dynamic Rules

    So I need *your suggestion* which one is

    *effective*, *easy to understand* and *write* ??

    Please guide !!

    That will be a great favour to me !!


>  you still do not say what kind of code you are talking about... if you are
>  talking about standard GID:1 text rules, then choose something you want to
>  monitor for... like DNS or NETBIOS traffic... or possibly something
> easier like
>  POP3 or SMTP traffic... then you could use the protocol specs of those to
> create
>  rules for the different stages of the protocol so that you could alert as
> each
>  stage was triggered...




> if you are talking about coding GID:3 shared object rules, there is a
> skeleton
> for such to give a start... generally speaking, rules are written in C and
> compiled just like any other shared objects... i do not have any specific
> experience writing GID:3 rules, though...


you have the same thing as the GID:3 rules for creating your own
> preperocessor
> to perform some task on the packets... again, this is an area i do not know
> about other than having seen others talk about it occasionally...


have you looked on the snort.org web site for any type of development
> packages
> related to your chosen task? that's where i would expect to find samples
> and
> tutorials of this nature...


  Thanks !!
*
*
*--
Cheers,
Mayur*




On Thu, Jul 18, 2013 at 11:59 PM, waldo kitty
<wkitty42 () windstream net<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream net>
> wrote:

> On 7/18/2013 13:57, Mayur Patil wrote:
> > Hi Joel,
> >
> >     Yes, this is assignment for project.
>
> :?
>
> >     But In this case, I just want the topic on which I could do this
> work in
> > short time.
> >
> >     My goal is to write code for Rules of snort achieved in 4-5 days
> which
> > should be 80 -100 lines.
>
> you still do not say what kind of code you are talking about... if you are
> talking about standard GID:1 text rules, then choose something you want to
> monitor for... like DNS or NETBIOS traffic... or possibly something easier
> like
> POP3 or SMTP traffic... then you could use the protocol specs of those to
> create
> rules for the different stages of the protocol so that you could alert as
> each
> stage was triggered...
>
> if you are talking about coding GID:3 shared object rules, there is a
> skeleton
> for such to give a start... generally speaking, rules are written in C and
> compiled just like any other shared objects... i do not have any specific
> experience writing GID:3 rules, though...
>
> you have the same thing as the GID:3 rules for creating your own
> preperocessor
> to perform some task on the packets... again, this is an area i do not know
> about other than having seen others talk about it occasionally...
>
> have you looked on the snort.org web site for any type of development
> packages
> related to your chosen task? that's where i would expect to find samples
> and
> tutorials of this nature...
>
> >     Seeking for guidance,
> >     Thanks !!
> > *
> > *
> > *--*
> > *Cheers,*
> > *Mayur*
> >
> > On Thu, Jul 18, 2013 at 10:47 PM, Joel Esler <jesler () sourcefire 
> > com<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=jesler () sourcefire com>
> > <
> https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=jesler () sourcefire com
> > >
> > wrote:
> >
> >     It seems that you are either:
> >
> >     A) Asking this for an assignment or
> >     B) Have no idea what you are asking.
> >
> >     What are you trying to accomplish.  What is your end goal?
> >
> >
> >     On Jul 18, 2013, at 12:55 PM, Mayur Patil <ram.nath241089 () gmail 
> > com<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=ram.nath241089 () gmail com>
> >     <
> https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=ram.nath241089 () gmail com
> > >
> >     wrote:
> >
> > >     Hi Waldo,
> > >
> > >         Two of them which will take*less time and efficient *would be
> choice
> > >     for my work.
> > >         A preprocessor? GID:3 shared object rules?
> > >         Seeking for guidance,
> > >
> > >         Thanks !!
> > >
> > >          On Thu, Jul 18, 2013 at 8:50 PM, waldo kitty<
> wkitty42 () windstream net<https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream net>
> > >         <
> https://mail.google.com/mail/u/0/?view=cm&fs=1&tf=1&to=wkitty42 () windstream net
> > > wrote:
> > >
> > >         On 7/18/2013 07:40, Mayur Patil wrote:
> > >         > Hi there,
> > >         >
> > >         >     First of all sorry for silly question.
> > >         >
> > >         >     I want to know what can I do in snort as coding part
> > >         >
> > >         >     which could be done in 4-5 days ??
> > >         >
> > >         >    Seeking for guidance,
> > >
> > >         coding what? a preprocessor? GID:3 shared object rules?
> > >
> > >         you have to be more specific...
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!