[Snort-devel] YNT: Question - snort v2.9.6.0 rules

Eray Balkanli Eray.Balkanli at ...3489...
Fri Mar 7 09:41:33 EST 2014


I have just noticed that this e-mail could not be received by snort-devel at ...2969... since I used hotmail instead dal.ca while sending it. I also kindly request snort-devel team, besides Mr. Esler, to read my question in my previous e-mail and share their ideas with me.

As summary, my question was why some rules (example below) were deleted in years. What is the exact reference you are following while deciding to delete/exchange a rule?


# $Id: icmp.rules,v 1.27 2005/02/10 01:11:04 bmc Exp $

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

These rules are NOT observed in "protocol-icmp.rules" from snort-rules (why?)

# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.

I will be grateful if you reply to me.

Best regards,

Gönderen: Eray Balkanlı <eraybalkanli at ...445...>
Gönderildi: 06 Mart 2014 Perşembe 13:34
Kime: Joel Esler (jesler); Eray Balkanli
Bilgi: snort-devel at lists.sourceforge.net
Konu: RE: [Snort-devel] Question - snort v2.9.6.0 rules


First of all, thank you very much for your interest and answer!

On behalf of being more clear, let me explain my question deeper.

Now, I am both using the ruleset from v2.9.1 and v2.9.6.0 and I see there are many changes between the rulesets, as supposed. When I check the "icmp.rules" and "icmp-info.rules" in 2.9.1, I observe there are lots of rules they contain. However, icmp.rules and icmp-info.rules are empty, including no rule, but I see protocol-icmp.rules there which contains some rules related to icmp packets. But, some rules have completely been deleted. For example:

icmp.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

icmp-info.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)

I cannot see these rules in protocol-icmp.rules (v2.9.6.0). And there are more rules which are observable in v2.9.1 unless v2.9.6.0.

In this regard, may I ask why these rules were deleted? Could you please explain depending on which references you decide to delete the existing rules?

* You can find the rules I use "icmp.rules (v2.9.1), icmp-info.rules (v2.9.1) and protocol-icmp(" on the attachment of this mail.

I appreciate for your kind interest. Thank you!

Best regards,

From: jesler at ...3461...
To: Eray.Balkanli at ...3489...
CC: snort-devel at lists.sourceforge.net; eraybalkanli at ...445...
Subject: Re: [Snort-devel] Question - snort v2.9.6.0 rules
Date: Tue, 4 Mar 2014 17:47:23 +0000

Within the rules we use a variety of references that you may look at to tell which vulnerabilities the rules cover, and from what year.  I encourage you to download the registered ruleset and grep through for “CVE” numbers, etc.

Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team

On Mar 4, 2014, at 12:07 PM, Eray Balkanli <Eray.Balkanli at ...3489...<mailto:Eray.Balkanli at ...3489...>> wrote:


I am a graduate Computer Science student at Dalhousie University. I have been working on some network records by using the rules included in Snort v2.9.6.0. I have a question related to those rules; I will be grateful if you reply.

May I ask that for how many recent years the defined rules are based on? I mean, from which year the attack signatures of malicious packets have been regarded?

Thank you very much in advance!

Best regars,
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
Snort-devel mailing list
Snort-devel at lists.sourceforge.net<mailto:Snort-devel at lists.sourceforge.net>

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140307/e69dcfac/attachment.html>

More information about the Snort-devel mailing list