[Snort-devel] İLT: Question - snort v2.9.6.0 rules

Joel Esler (jesler) jesler at ...3461...
Mon Mar 10 16:18:51 EDT 2014


Eray,

I'll look into this. 

--
Joel Esler
Sent from my iPhone

> On Mar 9, 2014, at 17:31, "Eray Balkanli" <Eray.Balkanli at ...3489...> wrote:
> 
> Hi,
> 
> Are there any news related to this issue?
> 
> Best regards,
> Eray
>  
> Gönderen: Eray Balkanli
> Gönderildi: 07 Mart 2014 Cuma 10:41
> Kime: Eray Balkanlı; Joel Esler (jesler)
> Bilgi: snort-devel at lists.sourceforge.net
> Konu: YNT: [Snort-devel] Question - snort v2.9.6.0 rules
>  
> Hi,
> 
> I have just noticed that this e-mail could not be received by snort-devel at ...2969... since I used hotmail instead dal.ca while sending it. I also kindly request snort-devel team, besides Mr. Esler, to read my question in my previous e-mail and share their ideas with me.
> 
> As summary, my question was why some rules (example below) were deleted in years. What is the exact reference you are following while deciding to delete/exchange a rule?
> 
> Example:
> # $Id: icmp.rules,v 1.27 2005/02/10 01:11:04 bmc Exp $
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
> alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
> alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
> alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
> alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)
> 
> These rules are NOT observed in "protocol-icmp.rules" from snort-rules 2.9.6.0. (why?)
> 
> "
> # This file contains (i) proprietary rules that were created, tested and certified by
> # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
> # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
> # Sourcefire and other third parties (the "GPL Rules") that are distributed under the
> # GNU General Public License (GPL), v2.
> 
> "
> I will be grateful if you reply to me.
> 
> Best regards,
> Eray
>> 
>  
> Gönderen: Eray Balkanlı <eraybalkanli at ...445...>
> Gönderildi: 06 Mart 2014 Perşembe 13:34
> Kime: Joel Esler (jesler); Eray Balkanli
> Bilgi: snort-devel at lists.sourceforge.net
> Konu: RE: [Snort-devel] Question - snort v2.9.6.0 rules
>  
> Hi,
> 
> First of all, thank you very much for your interest and answer!
> 
> On behalf of being more clear, let me explain my question deeper.
> 
> Now, I am both using the ruleset from v2.9.1 and v2.9.6.0 and I see there are many changes between the rulesets, as supposed. When I check the "icmp.rules" and "icmp-info.rules" in 2.9.1, I observe there are lots of rules they contain. However, icmp.rules and icmp-info.rules are empty, including no rule, but I see protocol-icmp.rules there which contains some rules related to icmp packets. But, some rules have completely been deleted. For example:
> 
> icmp.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)
> 
> icmp-info.rules (v2.9.1) contains: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)
> 
> I cannot see these rules in protocol-icmp.rules (v2.9.6.0). And there are more rules which are observable in v2.9.1 unless v2.9.6.0.
> 
> In this regard, may I ask why these rules were deleted? Could you please explain depending on which references you decide to delete the existing rules?
> 
> * You can find the rules I use "icmp.rules (v2.9.1), icmp-info.rules (v2.9.1) and protocol-icmp(2.9.6.0)" on the attachment of this mail.
> 
> I appreciate for your kind interest. Thank you!
> 
> Best regards,
> Eray
> 
> From: jesler at ...3461...
> To: Eray.Balkanli at ...3489...
> CC: snort-devel at lists.sourceforge.net; eraybalkanli at ...445...
> Subject: Re: [Snort-devel] Question - snort v2.9.6.0 rules
> Date: Tue, 4 Mar 2014 17:47:23 +0000
> 
> Within the rules we use a variety of references that you may look at to tell which vulnerabilities the rules cover, and from what year.  I encourage you to download the registered ruleset and grep through for “CVE” numbers, etc.   
> 
> --
> Joel Esler | Threat Intelligence Team Lead | Open Source Manager | Vulnerability Research Team
> 
> On Mar 4, 2014, at 12:07 PM, Eray Balkanli <Eray.Balkanli at ...3489...> wrote:
> 
> Hi,
> 
> I am a graduate Computer Science student at Dalhousie University. I have been working on some network records by using the rules included in Snort v2.9.6.0. I have a question related to those rules; I will be grateful if you reply.
> 
> May I ask that for how many recent years the defined rules are based on? I mean, from which year the attack signatures of malicious packets have been regarded?
> 
> Thank you very much in advance!
> 
> Best regars,
> Eray
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works. 
> Faster operations. Version large binaries.  Built-in WAN optimization and the
> freedom to use Git, Perforce or both. Make the move to Perforce.
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk_______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works. 
> Faster operations. Version large binaries.  Built-in WAN optimization and the
> freedom to use Git, Perforce or both. Make the move to Perforce.
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140310/541cffb6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140310/541cffb6/attachment.bin>


More information about the Snort-devel mailing list