Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Local rules with same sids and snort works!

From: fatema bannatwala <fatema.bannatwala () gmail com>
Date: Wed, 9 Nov 2016 14:08:19 -0500
Thanks for the explanation!
That makes sense. :)



On Wed, Nov 9, 2016 at 1:59 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:


I apologize, I believe I misspoke in saying it takes the “first SID” it
encounters with the same rev.  It’s obviously taking the *last* one it
read.  That’s my fault.

*--*
*Joel Esler *| *Talos:* Manager | jesler () cisco com






On Nov 9, 2016, at 1:58 PM, fatema bannatwala <fatema.bannatwala () gmail com>
wrote:

First and second in my local.rules file.
I thought the snort would read the local.rules file sequentially and hence
would encounter the rules sequentially while start up, hence was referring
"first"as first in local.rules.

~]$ less local.rules
# ------------
# LOCAL RULES
# ------------
# This file intentionally does not come with signatures.  Put your local
# additions here.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP Proxy
client detected"; flow: to_server,established; content:"X-Forwarded-";
http_header; reference:url,http://www.forensicswiki.org/wiki/Proxy_server;
classtype:policy-violation; sid:10001030; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"UDel Likely
Successful Generic Phish 2016-09-23"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"netid=";
depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0;
classtype:trojan-activity; sid:10001030; rev:1;)


On Wed, Nov 9, 2016 at 1:52 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:


You mean, “first” and “second” in the email?  Or first and second, *as
Snort encounters them in order on startup*?

*--*
*Joel Esler *| *Talos:* Manager | jesler () cisco com






On Nov 9, 2016, at 1:40 PM, fatema bannatwala <
fatema.bannatwala () gmail com> wrote:

Well, the rules have same rev numbers, and the order is like this:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP Proxy
client detected"; flow: to_server,established; content:"X-Forwarded-";
http_header; reference:url,http:/           /
www.forensicswiki.org/wiki/Proxy_server; classtype:policy-violation;
sid:10001030; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely
Successful Generic Phish 2016-09-23"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"netid=";
depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0;
classtype:trojan-activity; sid:10001030; rev:1;)

I only get alerts from the second one now, i.e phishing one, and haven't
gotten any alert triggered for the first rule.
Previously, when I had only the first rule, I used to get lot of alerts
for people using proxy, but ever since the second alert got added I
realized that the first rule stopped triggering anymore.

On Wed, Nov 9, 2016 at 1:28 PM, Joel Esler (jesler) <jesler () cisco com>
wrote:


You can have duplicate SIDS.  The rule with the highest rev will
override the lower rev rule, otherwise Snort will take the first rule it
gets to, and ignore the other one.

It’s been this way for several years.


*--*
*Joel Esler *| *Talos:* Manager | jesler () cisco com






On Nov 9, 2016, at 1:19 PM, fatema bannatwala <
fatema.bannatwala () gmail com> wrote:

Hi All,

Just realized that I have two rules in my local.rules file with same
sid, and snort works just fine!!
I always had in my head that sids should have to be unique, but today
when I was going through the local.rules file, I realized that someone from
our team had created a new rule and assigned it a same sid that a previous
rule had.
I couldn't catch it before because snort was running just fine without
any complains on duplicate sids.

Have I missed this change in the current (or 2.9 version) of snort or is
it something else?

Quick points: I have local.rules enabled in snort.conf and pulled pork
is not modifying anything regarding local rules so they should get loaded
as it is, and above all I am getting alerts for one of the rules having
duplicate sid, but no alerts for the other rule having same sid.

Snort version - 2.9.8.3
barnyard version - 2-1.9
pulledpork - 0.7.0

Thanks,
Fatema.
------------------------------------------------------------
------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi_______
________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!










------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: