[Snort-devel] Sig_id problem with preprocessor alerts?

Dirk Geschke Dirk_Geschke at ...802...
Sun Aug 18 15:06:05 EDT 2002


Hi all,

recently in the user mailing list I read something 
about problems with different IP addresses in the
alert message.

I now noticed a related problem:

Usually there is no signature ID (or event->sig_id) related to
these alerts. Consequently for each of this alert is a new ID
created within the database (AUTO_INCREMENT). 

The signatures/rules are added to the database if they are 
first logged to the database.

So there is a high propability that the preprocessor alerts
(like portscan or NMAP-detection in stream4) can occupy one
of these signature IDs.

This will result in a maybe wrong relation between the signatures
and the alerts.

To clarify this by an example: If you see a lot of nmap scans 
from different IP addresses, than it is likely, that with e.g.
sid 110 a nmap signature will be related.

But sid 110 is also the "BACKDOOR netbus getinfo" rule. So if 
such an alarm is detected we will run into trouble to insert 
this rule into the database. This will result in a change of
the sid...

So one solution is to use a fix alert message within each
preprocessor (no dynamic changes) to get a static signature
and additionally use a predefined sig_id for each such 
message.

And finally: It would be a big enhancement to insert first
all signatures into the database. This way we can omit all
the SELECT queries to check if the signature is already in
the database.

I worked with MySQL and noticed the database is sometimes
"hanging". I suspect this is caused by all these SELECT
statements. (MySQL is very good for writing not for reading...)

To summarize it:

+ a sig_id for all possible preprocessor alerts would be fine
  (but this requires static alert messages...)
+ a process inserting all possible rules into the database
  before starting snort would be fine.
  (This can be done via snort when all rules are evaluated
  on startup or via a separate program/process. A switch in
  snort.conf or commandline can be used to switch between
  the old behaviour by inserting all signatures if they are
  detected by an alert or by trusting all signatures ae in
  the database.)

Just some thoughts on this matter...

Best regards

Dirk
-- 
+------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke at ...1545...2...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |
+------------------------------------------------------------+





More information about the Snort-devel mailing list